Release Summary
We are thrilled to announce the Public Preview of Azure Key Vault Secret Store Extension (SSE) for Arc-enabled on-premises Kubernetes, including clusters that you connect yourself and AKS managed clusters. SSE automatically synchronizes secrets from an Azure Key Vault to the on-premises cluster for offline access. This means you can use Azure Key Vault to store, maintain, and rotate your secrets, even when running your Kubernetes cluster in a semi-disconnected state.
Key Benefits
- Offline Access: Many clusters running in production environments at the edge need to be resilient to intermittent connectivity. This includes continuing to have access to secrets when a cluster goes offline or a pod restarts. Workloads can continue to access secrets which are stored in the Kubernetes secret store.
- Standard K8s Secret Access: Secrets can be accessed via volume mounting, environment variables, or via the Kubernetes API. Workloads and ingress controllers do not need to be customized to access Azure Key Vault and developers have options on how to access secrets.
- Security: The Secret Store Extension (SSE) has limited permissions and leverages the latest Kubernetes security features so that cluster admins do not need to configure and limit permissions themselves. Synchronized secrets are critical business assets, so the Secret Store secures them through isolated namespaces and nodes, role-based access control (RBAC) policies, federated identities for accessing AKV, and limited permissions for the secrets synchronizer.
How to Use the Secret Store Extension
- Install the Secret Store Extension to an Arc-enabled cluster or AKS managed on-premises cluster with configuration parameters such as sync intervals.
- Configure an Azure managed identity that has permission to read secrets from AKV and federate it with a Kubernetes service account.
- Configure a secret provider class custom resource (CR) in the cluster with connection details to the Key Vault.
- Configure a secret sync custom resource (CR) in the cluster for each secret to be synchronized.
- Apply the CRs in the cluster and secrets will automatically begin syncing at the selected or default sync interval.
Try out the Secret Store Extension Today!
- Get started by visiting this documentation
- Provide feedback to our team here
Updated Nov 15, 2024
Version 1.0rebeccaholt
Microsoft
Joined June 01, 2022
Azure Arc Blog
Follow this blog board to get notified when there's new activity