Import Alibaba Cloud KMS service credentials for applications - Container Service for Kubernetes

You can import ciphertext from Alibaba Cloud Key Management Service (KMS) Secrets Manager into your application pods. You can mount the ciphertext as a file system or a Secret, or read it from memory through a local HTTP interface. This prevents sensitive data from being leaked during application development and building. If your application reads keys from the file system, compatibility issues may occur when integrating with KMS Secrets Manager. You can use ack-secret-manager or csi-secrets-store-provider-alibabacloud to resolve these issues. If you want your application to directly obtain sensitive KMS credentials from memory and prevent them from being written to disks, you can use ack-kms-agent-webhook-injector to import and manage credentials more securely.

Introduction

ack-secret-manager: This component lets you import or synchronize KMS credentials to a cluster as Kubernetes Secrets to ensure that applications in the cluster can securely access sensitive data. A workload can then use the credentials by mounting a specified Secret instance as a file system.
csi-secrets-store-provider-alibabacloud: This component lets you import or synchronize KMS credentials to a cluster as Kubernetes Secrets to ensure that applications in the cluster can securely access sensitive data. It also lets you directly mount credential keys to applications as a file system in the form of a Container Storage Interface (CSI) inline volume. This component is suitable for applications that obtain sensitive information from file system interfaces, such as by reading files.
ack-kms-agent-webhook-injector: This component injects a KMS Agent into a pod as a sidecar container. This allows business applications to use the KMS Agent to obtain credentials from a KMS instance through a local HTTP interface and cache the credentials in memory. This prevents hard coding of sensitive data and improves security.

Scenarios

Component	Applicable clusters	Description	Related operations
ack-secret-manager	ACK managed cluster ACK dedicated cluster ACK One registered cluster ACK Serverless cluster	Supports Secret synchronization and updates.	Use ack-secret-manager to import Alibaba Cloud KMS service credentials
csi-secrets-store-provider-alibabacloud	Clusters of Kubernetes 1.20 or later: ACK managed cluster ACK dedicated cluster ACK One registered cluster	Supports Secret synchronization and updates. Supports mounting credential keys to applications as a file system in the form of a CSI inline volume.	Use csi-secrets-store-provider-alibabacloud to import Alibaba Cloud KMS service credentials
ack-kms-agent-webhook-injector	Clusters of Kubernetes 1.22 or later: ACK managed cluster ACK dedicated cluster	Supports Secret synchronization and updates. Supports obtaining credentials from a KMS instance and caching them in memory using the KMS Agent through a local HTTP interface.	Use ack-kms-agent-webhook-injector to import Alibaba Cloud KMS service credentials

Billing

ack-secret-manager and csi-secrets-store-provider-alibabacloud are free to install and use, but consume worker node resources after installation. You can configure the resource requests for each component during installation.
You are charged for using KMS Secrets Manager. For more information, see Product Billing.