azure - 如何使用托管标识从 Azure Kubernetes 服务 (AKS) 访问 Azure Key Vault (AKV)

Question

我们有一些在 Azure 上运行的 dotnet Core 应用服务，并使用具有托管身份的 Azure key Vault。

计划将这些 dotnet core 服务部署到 azure kubernetes，但我尚未找到任何将 AKV 与 Kubernetes 服务结合使用的相关文档/支持。任何指导或引用

Answer 1

有几个选项可以从 AKS 访问 KV:

• Use Azure Key Vault with FlexVol ( deprecated 。在 kubernetes 版本 1.15 中继续使用它)

  With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using a FlexVolume. The FlexVolume driver lets the AKS cluster natively retrieve credentials from Key Vault and securely provide them only to the requesting pod. Work with your cluster operator to deploy the Key Vault FlexVol driver onto the AKS nodes. You can use a pod managed identity to request access to Key Vault and retrieve the credentials you need through the FlexVolume driver.

  Azure Key Vault with FlexVol is intended for use with applications and services running on Linux pods and nodes.

• Use Azure Key Vault Provider for Secrets Store CSI Driver (适用于 Kubernetes 1.16+)

  The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of Azure Key Vault as a secrets store with a Kubernetes cluster via a CSI volume.

• Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)

  Azure Active Directory (Azure AD) pod-managed identities use Kubernetes primitives to associate managed identities for Azure resources and identities in Azure AD with pods. Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on Azure AD as an identity provider.

我发现 Pod 身份方法更容易，因为您不需要更改代码。