You can import secrets from Secrets Manager of Key Management Service (KMS) to CSI inline volumes or Kubernetes Secrets in Container Service for Kubernetes (ACK) clusters, and then mount the CSI inline volumes or Kubernetes Secrets to application pods. This avoids exposing sensitive data throughout the lifecycle of application development in ACK. By default, reading secrets from volumes has a compatibility issue with the Secret Manager of KMS. The ack-secret-manager and csi-secrets-store-provider-alibabacloud plug-ins can resolve the incompatibility.
Introduction
ack-secret-manager allows you to import or synchronize secrets from KMS to Kubernetes Secret in an ACK cluster to ensure secure access to sensitive data within your cluster. Workloads can mount the Kubernetes Secrets to application pods through CSI inline volumes to use the synchronized secrets.
csi-secrets-store-provider-alibabacloud allows you to import or synchronize secrets from KMS to Kubernetes Secrets in an ACK cluster to ensure secure access to sensitive data within your cluster. In addition, the plug-in allows you to directly mount secrets to application pods through CSI inline volumes. This is suitable for applications that obtain sensitive information through file system APIs, such as reading files.
Scenarios
Component | Applicable cluster type | Feature | Reference |
ack-secret-manager |
| Supports Secret synchronization and updates. | |
csi-secrets-store-provider-alibabacloud | Clusters of version 1.20 and above:
|
| Use csi-secrets-store-provider-alibabacloud to import secrets from KMS |
References
ack-secret-manager and csi-secrets-store-provider-alibabacloud are free to install and use, but occupy worker node resources after installation. You can specify the amount of resources requested by each plug-in during installation.
You are charged for the Secrets Manager of KMS. For more information, see Billing.