A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

Last update: Oct 15, 2022

Overview

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from secret manager to pod, secret, and configmap. The motive of creating this project is to provide a dynamic secret injection to containers/pods running inside Kubernetes from different secret managers for enhanced security.

Documentation is available here:- https://ot-container-kit.github.io/k8s-vault-webhook/

The secret managers which are currently supported:-

There are some secret managers which are planned to be implemented in future.

GCP Secret Manager

Supported Features

Authentication to Hashicorp vault using Kubernetes service-account
RBAC implementation of vault using different policies of vault and association of policy with service-account
Inject secret directly to pods/containers running inside Kubernetes
Inject secret directly to pods/containers from AWS Secret Manager
Authentication with AWS Secret Manager with access key and iam role
Fetch secrets from Azure Key Vault and inject them in pods/containers
Pod AD identity and Service principal based authentication in Azure
Authentication with AWS Secret Manager with access key and iam role
Support regex to inject all secrets from a certain path of Vault
Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable

Architecture

Installation

k8s-vault-webhook can easily get installed by using Helm. We just simple need to add the repository of our helm charts.

$ helm repo add ot-helm https://github.com/OT-CONTAINER-KIT/helm-charts

$ helm upgrade k8s-vault-webhook ot-helm/k8s-vault-webhook --namespace <namespace> --install

If you want to pass your custom values file while installing the chart, you can find the values file here

Quickstart

For setting up a quickstart environment for demo, you can start quickstart from here

Development

If you like to contribute to this project, you are more than welcome. Please see our DEVELOPMENT.md for details.

Release History

Please see our CHANGELOG.md for details.

Contact

If you have any suggestion or query. Contact us at

[email protected]

Kubernetes webhook development (validating admission webhook) tutorial using kubewebhook

pod-exec-guard-kubewebhook-tutorial Introduction This is a tutorial that shows how to develop a Kubernetes admission webhook. To explain this, the tut

8 Aug 26, 2022

A kubernetes cni, connecting containers to neutron virtual networks.

neutron-cni A kubernetes cni, connecting containers to neutron virtual networks. Network Topology Architecture Quick Start Build make build-dev-im

8 May 5, 2022

Write controller-runtime based k8s controllers that read/write to git, not k8s

Git Backed Controller The basic idea is to write a k8s controller that runs against git and not k8s apiserver. So the controller is reading and writin

50 Dec 10, 2021

K8s-cinder-csi-plugin - K8s Pod Use Openstack Cinder Volume

k8s-cinder-csi-plugin K8s Pod Use Openstack Cinder Volume openstack volume list

0 Jul 18, 2022

K8s-go-structs - All k8s API Go structs

k8s-api go types Why? Its nice to have it all in a single package. . |-- pkg |

3 Jul 17, 2022

A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s.

A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s. OAM operator scaffolds all of the code required to create resources across various cloud provides, which includes both K8s and Non-K8s resources

2 Nov 30, 2021

webhook is a lightweight incoming webhook server to run shell commands

What is webhook? webhook is a lightweight configurable tool written in Go, that allows you to easily create HTTP endpoints (hooks) on your server, whi

8.5k Jan 5, 2023

Tcpdump-webhook - Toy Sidecar Injection with Mutating Webhook

tcpdump-webhook A simple demonstration of Kubernetes Mutating Webhooks. Injects

2 Feb 8, 2022

Deploy, manage, and secure applications and resources across multiple clusters using CloudFormation and Shipa

CloudFormation provider Deploy, secure, and manage applications across multiple clusters using CloudFormation and Shipa. Development environment setup

1 Feb 12, 2022

Comments

Question: where is the code that talks with Hashicorp Vault?

I was glancing over the code, but couldn't find the part when using Hashicorp Vault, where you replace the pod annotations with the actual secrets? Also the example in the docs show the annotations rather than the pass - https://ot-container-kit.github.io/k8s-vault-webhook/guide/hashicorp-vault-example.html

opened by canidam 2
Using the wrong logo in graphic

Your logo here is for Vue.js, not Vault

https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/blob/master/static/k8s-vault-webhook-arc.png

https://vuejs.org/
enhancement

opened by blairdrummond 0

Releases(v4.0)

v4.0(May 16, 2021)

Changelog

7688cfc Update .gitignore a717e26 Updated Version in VERSION file 03d6543 [Feature][Add] Added GCP support in webhook (#14) 81b6394 Updated badge for build e4930eb Added scripts for release 9664c1b Added scripts for release 1fc66e2 Added scripts for release 198b1e1 Added scripts for release 832fe86 Added Azure DevOps CI pipeline
Source code(tar.gz)
Source code(zip)
k8s-vault-webhook_4.0_checksums.txt(427 bytes)
k8s-vault-webhook_4.0_darwin_amd64.tar.gz(11.44 MB)
k8s-vault-webhook_4.0_linux_386.tar.gz(10.29 MB)
k8s-vault-webhook_4.0_linux_amd64.tar.gz(10.85 MB)
k8s-vault-webhook_4.0_linux_arm64.tar.gz(9.69 MB)
v3.0(May 9, 2021)
:tada: [Features Added]

Added Azure Key Vault support

Fetch secrets from Azure Key Vault and inject them in pods/containers

Pod AD identity and Service principal based authentication in Azure

Source code(tar.gz)
Source code(zip)
v2.0(May 8, 2021)
:tada: [Features Added]

Added AWS Secret Manager support

Inject secret directly to pods/containers from AWS Secret Manager

Authentication with AWS Secret Manager with access key and IAM role

Source code(tar.gz)
Source code(zip)
v1.0(Apr 21, 2021)
v1.0

April 11, 2021

:tada: [Features Added]

Authentication to Hashicorp vault using Kubernetes service-account

RBAC implementation of vault using different policies of vault and association of policy with service-account

Inject secret directly to pods/containers running inside Kubernetes

Support regex to inject all secrets from a certain path of Vault

Inject secrets directly to the process of the container, i.e. after the injection you cannot read secrets from the environment variable

Source code(tar.gz)
Source code(zip)

Owner

Opstree Container Kit

I am placeholder for all container and its orchestration related things

GitHub https://ot-container-kit.github.io/k8s-vault-webhook/

Kubernetes Operator to sync secrets between different secret backends and Kubernetes

Vals-Operator Here at Digitalis we love vals, it's a tool we use daily to keep secrets stored securely. We also use secrets-manager on the Kubernetes

86 Nov 13, 2022

The k8s-generic-webhook is a library to simplify the implementation of webhooks for arbitrary customer resources (CR) in the operator-sdk or controller-runtime.

k8s-generic-webhook The k8s-generic-webhook is a library to simplify the implementation of webhooks for arbitrary customer resources (CR) in the opera

9 Nov 24, 2022

K8s-ingress-health-bot - A K8s Ingress Health Bot is a lightweight application to check the health of the ingress endpoints for a given kubernetes namespace.

k8s-ingress-health-bot A K8s Ingress Health Bot is a lightweight application to check the health of qualified ingress endpoints for a given kubernetes

0 Jan 2, 2022

A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

Related tags

Overview

Supported Features

Architecture

Installation

Quickstart

Development

Release History

Contact

You might also like...

Kubernetes webhook development (validating admission webhook) tutorial using kubewebhook

A kubernetes cni, connecting containers to neutron virtual networks.

Write controller-runtime based k8s controllers that read/write to git, not k8s

K8s-cinder-csi-plugin - K8s Pod Use Openstack Cinder Volume

K8s-go-structs - All k8s API Go structs

A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s.

webhook is a lightweight incoming webhook server to run shell commands

Tcpdump-webhook - Toy Sidecar Injection with Mutating Webhook

Deploy, manage, and secure applications and resources across multiple clusters using CloudFormation and Shipa

Comments

Question: where is the code that talks with Hashicorp Vault?

Using the wrong logo in graphic

Releases(v4.0)

v4.0(May 16, 2021)

Changelog

v3.0(May 9, 2021)

:tada: [Features Added]

v2.0(May 8, 2021)

:tada: [Features Added]

v1.0(Apr 21, 2021)

v1.0

April 11, 2021

:tada: [Features Added]

Owner

Opstree Container Kit

Kubernetes Operator to sync secrets between different secret backends and Kubernetes

The k8s-generic-webhook is a library to simplify the implementation of webhooks for arbitrary customer resources (CR) in the operator-sdk or controller-runtime.

Webhook-server - Webhook Server for KubeDB resources

Simplify Kubernetes Secrets Management with Dockhand Secrets Operator

Copy your HashiCorp Vault secrets to a file

VaultOperator provides a CRD to interact securely and indirectly with secrets stored in Hashicorp Vault.

A helm v3 plugin to adopt existing k8s resources into a new generated helm chart

This repo contains example on how to consume secrets from Google Secret Manager from GKE

K8s-dotenv - Kubernetes Secrets and Configmaps to dot env file

K8s-ingress-health-bot - A K8s Ingress Health Bot is a lightweight application to check the health of the ingress endpoints for a given kubernetes namespace.