Uses a mutating webhook to create an initContainer within an annotated pod

The mutatingwebhook configuration limits to an annotated namespace

The initContainer can be of any secret image as desired, but the examples folder gives a simple python script for AWS

The image names are overridden in the helm chart supplied and the command and args to fire are also configurable

The mount point of the secrets obtained is configurable and is mounted as an in-memory volume from the initContainer to the Volumes in the pod to be injected.

Acknowledgments to: https://banzaicloud.com/blog/k8s-admission-webhooks/

This tutorial shows how to build and deploy an AdmissionWebhook.

make go-build

make docker-injector-build make docker-injector-build INJECTOR_TAG=myrepotag

make docker-secret-build make docker-secret-build SECRET_TAG=myrepotag

make docker-push INJECTOR_TAG=myrepotag SECRET_TAG=myrepotag

make helm-install INJECTOR_TAG=myrepotag SECRET_TAG=myrepotag Put any additional overrides in overrides.yaml in helm folder

make all INJECTOR_TAG=myrepotag SECRET_TAG=myrepotag

kubectl label namespace default com.expediagroup/secrets-injector=enabled

This is overridable in the helm chart if necessary namespaceSelector: mylabel

com.expediagroup/secrets-injector-format: yaml com.expediagroup/secrets-injector-key: my-secret-key

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "secretsmanager:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "secretsmanager.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000000:role/eks-worker-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

helm install -n myrelease --set image.pullPolicy=Never --set image.repository=myrepo helm/secrets-injector

• helm install will automatically build certs/ca and create mountable secrets
• helm overrides will allow launch of a specified image for both the webhook and the secret reading process

aws:
  secret:
    key: my-key
  region: us-west-2

kubectl get events to check

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 3
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      annotations:
        iam.amazonaws.com/role: arn:aws:iam::000000000000:role/my-secret-role
      labels:
        com.expediagroup/secrets-injector-format: yaml
        com.expediagroup/secrets-injector-key: s-eg-platform
        app: sleep
    spec:
      containers:
      - name: sleep
        image: tutum/curl
        command: ["/bin/sleep","infinity"]
        imagePullPolicy: IfNotPresent

kubectl exec sleep-xxx cat /secrets/secret.yaml