AWS Secret 和 K8s:不允许使用 envVar 引用 Secret.secretName="secret" 的容器,因为服务帐户未引用该密钥

问题描述 投票:0回答:1

我正在尝试从我的 EKS 集群内的 AWS Secret Manager 检索密钥。我已按照 eksworkshop_secret_manager 中概述的步骤进行操作。但是,在通过 CSI 驱动程序将机密写入 pod 后,我遇到将其作为环境变量传递的问题,导致出现以下错误:

pods“domain-74bf89c79-”被禁止:不允许使用envVar DB_CONNECTION_USERNAME引用secret.secretName =“dbsecret”的容器域容器,因为服务帐户secret-manager-sa不引用该secret

部署

apiVersion: apps/v1
kind: Deployment
metadata:
  name: domain
  namespace: dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: domain
  template:
    metadata:
      labels:
        app.kubernetes.io/name: domain
    spec:
      serviceAccountName: secret-manager-sa
      volumes:
        - name: secrets-store-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "secret-manager-provider"
      containers:
        - name: domain-container
          image: 1234567890.dkr.ecr.eu-south-1.amazonaws.com/domain:latest
          ports:
            - name: domain-port
              containerPort: 8080
          env:
            - name: DB_CONNECTION_USERNAME
              valueFrom:
                secretKeyRef:
                  name: dbsecret
                  key: dbusername
            - name: DB_CONNECTION_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: dbsecret
                  key: dbpassword
          volumeMounts:
            - name: secrets-store-inline
              mountPath: "/mnt/secrets-store-inline"
              readOnly: true

secretProviderClass

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: secret-manager-provider
  namespace: dev
spec:
  provider: aws
  parameters:
    objects: |
      - objectName: "arn:aws:secretsmanager:eu-south-1:1234567890:secret:rds!db-123455566-444"
        objectType: "secretsmanager"
        jmesPath:
          - path: username
            objectAlias: dbusername
          - path: password
            objectAlias: dbpassword
  secretObjects:
    - secretName: dbsecret
      type: Opaque
      data:
        - objectName: dbusername
          key: dbusername
        - objectName: dbpassword
          key: dbpassword

服务帐号

apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-manager-sa
  namespace: dev
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::1234567890:role/dev-secret-sa-role"
    kubernetes.io/enforce-mountable-secrets: "true"

$ kubectl get secrets
NAME                                      TYPE                 DATA   AGE
dbsecret                                  Opaque               2      17h
sh.helm.release.v1.csi-secrets-store.v1   helm.sh/release.v1   1      17h
kubernetes yaml environment-variables aws-secrets-manager k8s-serviceaccount
1个回答
0
投票

我通过将秘密添加到服务帐户来解决它:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-manager-sa
  namespace: dev
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::1234567890:role/dev-secret-sa-role"
    kubernetes.io/enforce-mountable-secrets: "true"
secrets:
  - name: dbsecret
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.