AWS EKS Secrets injector

This repo is a proof-of-concept (PoC) showing how to inject AWS secret manager secrets to pods. The basic idea of the PoC is to use an extension point of the Kubernetes API server called dynamic admission control: when a user creates a pod with annotations, a mutating Webhook (implemented as an AWS Lambda function) intercepts the process and adds a init container to the pod which will read the secrets from secrets manager and injects the secrets to main container through a shared volume.

Installation

In order to build and deploy the service, clone this repo and make sure you've got the following available, locally:

• The aws CLI
• The SAM CLI
• Go 1.12 or above
• A Kubernetes 1.14 cluster or above with kubectl configured, locally

Additionally, I recommend that you have jq installed.

First, prepare the S3 bucket for the Lambda function that provides the webhook (make sure that you pick different name for the WEBHOOK_BUCKET bucket env variable since buckets need to be globally unique):

export WEBHOOK_BUCKET=nase-webhook

aws s3api create-bucket \
          --bucket $WEBHOOK_BUCKET \
          --create-bucket-configuration LocationConstraint=$(aws configure get region) \
          --region $(aws configure get region)

Now, to install the webhook, execute:

make deploy

Notes:

The CA bundle used in the webhook config comes from Amazon Trust Services. This is a PoC, not a production-ready setup. In order to lock down the webhook, that is, make sure that it can only be called from your Kubernetes cluster, you'd need to restrict the API Gateway access to its VPC.

Usage

$ kubectl create -f pod.yml