You can import secrets from CloudOps Orchestration Service (OOS) to Container Storage Interface (CSI) inline volumes or as Kubernetes Secrets in Container Service for Kubernetes (ACK) clusters, and then mount the CSI inline volumes or Kubernetes Secrets to application pods. This avoids exposing sensitive data throughout the lifecycle of application development in ACK. By default, Kubernetes workloads directly read secrets from the file system. However, compatibility issues may exist between Kubernetes workloads and KMS Secrets Manager, which can be resolved with the ack-secret-manager or csi-secrets-store-provider-alibabacloud component.
Introduction to components
The ack-secret-manager component allows you to import or synchronize secrets from OOS to ACK clusters as Kubernetes Secrets, which are used to store sensitive information in the clusters. Applications in your cluster can access secrets through file system mounts by specifying the Secret instance.
The csi-secrets-store-provider-alibabacloud component allows you to import or synchronize secrets from OOS to ACK clusters as Kubernetes Secret instances, which are used to store sensitive information in the clusters. Additionally, you can directly mount secrets to applications by using CSI inline volumes. This is suitable for applications that obtain sensitive data by calling file system APIs, such as the API to read files.
Scenarios
Component | Applicable clusters | Features | References |
ack-secret-manager |
| Secret synchronization and updates are supported. | |
csi-secrets-store-provider-alibabacloud | Clusters that run Kubernetes 1.20 and later:
|
| Use csi-secrets-store-provider-alibabacloud to import OOS encryption parameters |
Billing
While ack-secret-manager and csi-secrets-store-provider-alibabacloud are free to install and use, they consume resources on worker nodes after installation. You can define the resource requests for each module during the installation process.