GitXplorerGitXplorer
m

nase

public
21 stars
1 forks
1 issues

Commits

List of commits on branch master.
Unverified
2fad6b444e34e7b60e0bc1a9cca6f3c931b40d2a

implements MVP of deploy/pods webhook

mmhausenblas committed 5 years ago
Unverified
9dda7d482fe35e5369246a761cb7f56d347ee6b9

fixes build for good

mmhausenblas committed 5 years ago
Unverified
1188b62e2c64c078b807c064d869c4971f984efa

preps pods webhook

mmhausenblas committed 5 years ago
Unverified
c483fa46afa72bf9e5f1741ebfce65c9f97f8ca8

fixes SAM template

mmhausenblas committed 5 years ago
Unverified
1b0a7502d8435f38a0b2ebe9dbb3a36025e452f8

fixes docs

mmhausenblas committed 5 years ago
Unverified
6e4d3cbb4626088a8f756969e06afe9beb88d03a

fixes pods webhook

mmhausenblas committed 5 years ago

README

The README file for this repository.

Native Secrets

This repo is a proof-of-concept (PoC) showing how native Kubernetes secrets can be support via AWS Secrets Manager. The basic idea of the PoC is to use an extension point of the Kubernetes API server called dynamic admission control: when a user creates a secret, a mutating Webhook (implemented as an AWS Lambda function) intercepts the process of persisting the payload into etcd and replaces it with the ARN of a secret managed by the AWS Secrets Manager.

Installation

In order to build and deploy the service, clone this repo and make sure you've got the following available, locally:

  • The aws CLI
  • The SAM CLI
  • Go 1.12 or above
  • A Kubernetes 1.14 cluster or above with kubectl configured, locally

Additionally, I recommend that you have jq installed.

First, prepare the S3 bucket for the Lambda function that provides the webhook (make sure that you pick different name for the WEBHOOK_BUCKET bucket env variable since buckets need to be globally unique):

export WEBHOOK_BUCKET=nase-webhook

aws s3api create-bucket \
          --bucket $WEBHOOK_BUCKET \
          --create-bucket-configuration LocationConstraint=$(aws configure get region) \
          --region $(aws configure get region)

Now, to install the webhook, execute:

make deploy

To verify if all went well, compare the output of the following command with your own output:

$ kubectl describe mutatingwebhookconfigurations/nase
Name:         nase
Namespace:
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"admissionregistration.k8s.io/v1beta1","kind":"MutatingWebhookConfiguration","metadata":{"annotations":{},"name":"nase"},"we...
API Version:  admissionregistration.k8s.io/v1beta1
Kind:         MutatingWebhookConfiguration
Metadata:
  Creation Timestamp:  2019-12-12T10:36:57Z
  Generation:          1
  Resource Version:    2394053
  Self Link:           /apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/nase
  UID:                 5277a118-1ccb-11ea-98a5-0a084944784a
Webhooks:
  Admission Review Versions:
    v1beta1
  Client Config:
    Ca Bundle:     ***
    URL:           https://******.execute-api.us-west-2.amazonaws.com/Prod/webhook
  Failure Policy:  Fail
  Name:            nase.mhausenblas.info
  Namespace Selector:
  Rules:
    API Groups:

    API Versions:
      v1
    Operations:
      CREATE
      UPDATE
    Resources:
      secrets
    Scope:          *
  Side Effects:     Unknown
  Timeout Seconds:  30
Events:             <none>

You're now ready to use the demo.

Notes:

Usage

$ kubectl create secret generic somesecret --from-literal=nase=supersecret
secret/somesecret created

$ kubectl get secret somesecret -o "jsonpath={.data['nase']}" | base64 -D
arn:aws:secretsmanager:us-west-2:123456789012:secret:.nase-dzWHWN