K8S集成Vault是一种常见的实践,可以帮助我们更安全地管理敏感数据和密钥。在本篇文章中,我将向你介绍如何在Kubernetes(K8S)集群中集成HashiCorp Vault,并提供相应的代码示例来帮助你完成这一过程。
首先,让我们来看一下整个K8S集成Vault的流程,具体步骤如下:
| 步骤 | 描述 |
| ---- | ------------------- |
| 1 | 安装并配置Vault服务器 |
| 2 | 在K8S集群中创建ServiceAccount和ClusterRoleBinding |
| 3 | 部署Vault Agent注入Sidecar容器 |
| 4 | 配置K8S中的Pod以使用Vault提供的密钥 |
接下来,我们将逐步为你介绍每一步需要做什么以及相应的代码示例:
**Step 1: 安装并配置Vault服务器**
首先,你需要在K8S集群中安装和配置Vault服务器。具体步骤如下:
1. 安装Vault服务器:
```shell
$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm install vault hashicorp/vault
```
2. 配置Vault服务器:
```shell
# 启用Kubernetes认证方法
$ kubectl exec -it vault-0 -- vault auth enable kubernetes
```
**Step 2: 在K8S集群中创建ServiceAccount和ClusterRoleBinding**
在K8S集群中创建ServiceAccount和ClusterRoleBinding,用于授权Pod访问Vault。具体步骤如下:
1. 创建ServiceAccount和ClusterRoleBinding:
```yaml
# serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
# clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
```
2. 应用ServiceAccount和ClusterRoleBinding:
```shell
$ kubectl apply -f serviceaccount.yaml
$ kubectl apply -f clusterrolebinding.yaml
```
**Step 3: 部署Vault Agent注入Sidecar容器**
接下来,我们需要在K8S中的Pod中部署Vault Agent注入Sidecar容器,以便让Pod能够访问Vault。具体步骤如下:
1. 创建包含Vault Agent配置的ConfigMap:
```yaml
# agent-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-agent-config
data:
vault-agent-config.hcl: |
vault {
address = "http://vault:8200"
}
auto_auth {
method "kubernetes" {
mount_path = "auth/kubernetes"
config = {
role = "my-role"
}
}
}
```
2. 部署Vault Agent注入Sidecar容器:
```yaml
# app-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
serviceAccountName: vault-auth
containers:
- name: my-app
image: my-image
ports:
- containerPort: 80
volumes:
- name: vault-agent-config
configMap:
name: vault-agent-config
- name: kv
emptyDir: {}
initContainers:
- name: vault-agent
image: hashicorp/vault-k8s
volumeMounts:
- mountPath: "/vault"
name: kv
env:
- name: VAULT_ADDR
value: "http://vault:8200"
- name: VAULT_AGENT_CONFIG
value: "/vault/vault-agent-config.hcl"
- name: K8S_SECRETS_PATH
value: "/vault/secrets"
```
**Step 4: 配置K8S中的Pod以使用Vault提供的密钥**
最后,我们需要配置K8S中的Pod,以确保Pod能够使用Vault提供的密钥。具体步骤如下:
1. 在Pod中引用Vault提供的密钥:
```yaml
# app-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app
image: my-image
ports:
- containerPort: 80
env:
- name: MY_SECRET
valueFrom:
secretKeyRef:
name: my-secret
key: username
```
以上就是K8S集成Vault的详细步骤和相应的代码示例。希望以上内容能够帮助你完成K8S集成Vault的过程,加强对于K8S与Vault的理解和应用。祝你学习顺利!
首先,让我们来看一下整个K8S集成Vault的流程,具体步骤如下:
| 步骤 | 描述 |
| ---- | ------------------- |
| 1 | 安装并配置Vault服务器 |
| 2 | 在K8S集群中创建ServiceAccount和ClusterRoleBinding |
| 3 | 部署Vault Agent注入Sidecar容器 |
| 4 | 配置K8S中的Pod以使用Vault提供的密钥 |
接下来,我们将逐步为你介绍每一步需要做什么以及相应的代码示例:
**Step 1: 安装并配置Vault服务器**
首先,你需要在K8S集群中安装和配置Vault服务器。具体步骤如下:
1. 安装Vault服务器:
```shell
$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm install vault hashicorp/vault
```
2. 配置Vault服务器:
```shell
# 启用Kubernetes认证方法
$ kubectl exec -it vault-0 -- vault auth enable kubernetes
```
**Step 2: 在K8S集群中创建ServiceAccount和ClusterRoleBinding**
在K8S集群中创建ServiceAccount和ClusterRoleBinding,用于授权Pod访问Vault。具体步骤如下:
1. 创建ServiceAccount和ClusterRoleBinding:
```yaml
# serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
# clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
```
2. 应用ServiceAccount和ClusterRoleBinding:
```shell
$ kubectl apply -f serviceaccount.yaml
$ kubectl apply -f clusterrolebinding.yaml
```
**Step 3: 部署Vault Agent注入Sidecar容器**
接下来,我们需要在K8S中的Pod中部署Vault Agent注入Sidecar容器,以便让Pod能够访问Vault。具体步骤如下:
1. 创建包含Vault Agent配置的ConfigMap:
```yaml
# agent-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-agent-config
data:
vault-agent-config.hcl: |
vault {
address = "http://vault:8200"
}
auto_auth {
method "kubernetes" {
mount_path = "auth/kubernetes"
config = {
role = "my-role"
}
}
}
```
2. 部署Vault Agent注入Sidecar容器:
```yaml
# app-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
serviceAccountName: vault-auth
containers:
- name: my-app
image: my-image
ports:
- containerPort: 80
volumes:
- name: vault-agent-config
configMap:
name: vault-agent-config
- name: kv
emptyDir: {}
initContainers:
- name: vault-agent
image: hashicorp/vault-k8s
volumeMounts:
- mountPath: "/vault"
name: kv
env:
- name: VAULT_ADDR
value: "http://vault:8200"
- name: VAULT_AGENT_CONFIG
value: "/vault/vault-agent-config.hcl"
- name: K8S_SECRETS_PATH
value: "/vault/secrets"
```
**Step 4: 配置K8S中的Pod以使用Vault提供的密钥**
最后,我们需要配置K8S中的Pod,以确保Pod能够使用Vault提供的密钥。具体步骤如下:
1. 在Pod中引用Vault提供的密钥:
```yaml
# app-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app
image: my-image
ports:
- containerPort: 80
env:
- name: MY_SECRET
valueFrom:
secretKeyRef:
name: my-secret
key: username
```
以上就是K8S集成Vault的详细步骤和相应的代码示例。希望以上内容能够帮助你完成K8S集成Vault的过程,加强对于K8S与Vault的理解和应用。祝你学习顺利!
