KMS stands for Key Management Service. This is one of the most critical services for cloud providers to manage customer's security-related properties on the cloud.
It is the same in Alibaba Cloud. Key Management Service (KMS) provides secure and compliant key management and cryptography services to help you encrypt and protect sensitive data assets.
Secret Manager is a new feature that is provided by Alibaba Cloud KMS Service in 2020. It enables you to manage your secrets in a centralized manner throughout their lifecycle (creation, retrieval, updating, and deletion.)
1. Lifecycle Mismatch:
Kubernetes provides Secret as a resource to supply credentials for various purposes (database access/API call.) but it can only be considered as temporary storage since it goes away with cluster deletion. Database accounts and API credentials should not be cleared. This requires as a cloud provider to securely store the credential information in a central location and synchronize with applications that are running in Kubernetes clusters.
2. Security Management:
Secret Manager (together with other cloud services like Audit Log) keeps user actions and historical changes in one place. This is critical for security auditing.
3. Key Rotation integration:
With REST API support, Secret Manager can easily be integrated in CI/CD pipelines for database credential rotation and API credentials updates.
The last puzzle to complete the picture is an agent to automatically synchronize the Secrets in Kubernetes and the KMS Secret Manager.
Here are two situations for synchronizing the KMS Secret Manager and Alibaba Cloud Kubernetes Cluster. One is from Alibaba Cloud and the other one is from Kubernetes eco-system.
1. Kubernetes External Secrets
External Secrets is more popular from a user perspective. It supports Alibaba Cloud and most of the major cloud providers.
ACK Secret Manager provides a similar setup to External Secrets and is controlled and contributed to mainly by Alibaba Cloud's internal developers. It provides more functionalities and flexibilities.
1. Create a Kubernetes Cluster using ACK:
You can do it manually by following the official document or using terraform by following the demo.
2. Deploy External Secrets or ACK Secret Manager:
Do not forget to attach the required privilege to the WorkerRole.
{
"Action": [
"kms:GetSecretValue"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Then, install it in kubernetes cluster.
# for ACK Secret Manager
$ helm repo add http://aliacs-k8s-eu-central-1.oss-eu-central-1.aliyuncs.com/app/charts-incubator/
$ helm install aliyun/ack-secret-managerInstall it in Kubernetes cluster with the environments values by following the helm chart values definition.
# for External secrets
$ helm repo add external-secrets https://godaddy.github.io/kubernetes-external-secrets/
$ helm install external-secrets/kubernetes-external-secrets --set envVarsFromSecret.ALICLOUD_ENDPOINT=xxx --set envVarsFromSecret.ALICLOUD_ACCESS_KEY_ID=xxx --set envVarsFromSecret.ALICLOUD_ACCESS_KEY_SECRET=xxx3. Create a Secret using aliyun-cli
# you need to configure aliyun-cli with a valid RAM user and proper permission
aliyun kms CreateSecret --SecretName my_secret --SecretData P@ssw0rd --VersionId 0014. Deploy CRD
apiVersion: 'alibabacloud.com/v1alpha1'
kind: ExternalSecret
metadata:
name: hello-service
spec:
backendType: alicloud-kms
data:
- key: test
name: password
versionStage: ACSCurrent# External secrets demo
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: hello-service
spec:
backendType: alicloudSecretsManager
# optional: specify role to assume using provided access key ID and access key secret when retrieving the data
roleArn: acs:ram::{UID}:role/demo
data:
- key: hello-credentials1
name: password
- key: hello-credentials2
name: username
# Version Stage in Alibaba Cloud KMS Secrets Manager. Optional, default value is ACSCurrent
versionStage: ACSCurrentThen, run command
# deploy CRD
$ kubectl apply -f hello-service-external-secret.yml5. Verify the results.
After 30 seconds, check to see if Secret got an update
# print secret in yaml format
$ kubectl get secret hello-service -oyamlThis is what you should see:
apiVersion: v1
kind: Secret
metadata:
name: hello-service
type: Opaque
data:
password: MTIzNA==That's it! Alibaba makes your life easier.
Alibaba Cloud Community - March 16, 2022
Marketplace - November 23, 2018
Alibaba Container Service - February 24, 2021
Xi Ning Wang - March 7, 2019
Alibaba Container Service - April 28, 2020
Alibaba Clouder - May 20, 2019
Container Service for Kubernetes
Alibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn More
Cloud-Native Applications Management Solution
Accelerate and secure the development, deployment, and management of containerized applications cost-effectively.
Learn More
ACK One
Provides a control plane to allow users to manage Kubernetes clusters that run based on different infrastructure resources
Learn More
Key Management Service
Create, delete and manage encryption keys with Alibaba Cloud Key Management Service
Learn More