我正在尝试从我的 EKS 集群内的 AWS Secret Manager 检索密钥。我已按照 eksworkshop_secret_manager 中概述的步骤进行操作。但是,在通过 CSI 驱动程序将机密写入 pod 后,我遇到将其作为环境变量传递的问题,导致出现以下错误:
pods“domain-74bf89c79-”被禁止:不允许使用envVar DB_CONNECTION_USERNAME引用secret.secretName =“dbsecret”的容器域容器,因为服务帐户secret-manager-sa不引用该secret
部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: domain
namespace: dev
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: domain
template:
metadata:
labels:
app.kubernetes.io/name: domain
spec:
serviceAccountName: secret-manager-sa
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "secret-manager-provider"
containers:
- name: domain-container
image: 1234567890.dkr.ecr.eu-south-1.amazonaws.com/domain:latest
ports:
- name: domain-port
containerPort: 8080
env:
- name: DB_CONNECTION_USERNAME
valueFrom:
secretKeyRef:
name: dbsecret
key: dbusername
- name: DB_CONNECTION_PASSWORD
valueFrom:
secretKeyRef:
name: dbsecret
key: dbpassword
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store-inline"
readOnly: true
secretProviderClass
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: secret-manager-provider
namespace: dev
spec:
provider: aws
parameters:
objects: |
- objectName: "arn:aws:secretsmanager:eu-south-1:1234567890:secret:rds!db-123455566-444"
objectType: "secretsmanager"
jmesPath:
- path: username
objectAlias: dbusername
- path: password
objectAlias: dbpassword
secretObjects:
- secretName: dbsecret
type: Opaque
data:
- objectName: dbusername
key: dbusername
- objectName: dbpassword
key: dbpassword
服务帐号
apiVersion: v1
kind: ServiceAccount
metadata:
name: secret-manager-sa
namespace: dev
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::1234567890:role/dev-secret-sa-role"
kubernetes.io/enforce-mountable-secrets: "true"
$ kubectl get secrets
NAME TYPE DATA AGE
dbsecret Opaque 2 17h
sh.helm.release.v1.csi-secrets-store.v1 helm.sh/release.v1 1 17h
我通过将秘密添加到服务帐户来解决它:
apiVersion: v1
kind: ServiceAccount
metadata:
name: secret-manager-sa
namespace: dev
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::1234567890:role/dev-secret-sa-role"
kubernetes.io/enforce-mountable-secrets: "true"
secrets:
- name: dbsecret