- Drive Azure KeyVault typed objects (secrets, certificates and keys) into pods via projection (similar to secrets/config maps volumes).
- Enable low footprint integration, users shouldn't configure pods differently (example side cars) to allow this integration.
- Enable role control and authorization assertion on pod level.
Binary deployed on all nodes, this binary implements flex vol interfaces. The binary downloads the keyvault objects and project them into pods. The volume driver has two modes of operation:
- Stand Alone
The driver uses a secret (contains Service Principal username password) via FlexVol SecretRef
to authenticate itself on
KeyVault
- Integrated with Pod Identity
The driver uses pods own identity via aad pod identity to authenticate itself on KeyVault.
in both cases, the user is required to set the correct permission via ARM roles on KeyVault.
The following fields are expected to be part of Flex Vol
- Region:
required
(example:centralus
) - Cloud Name:
required
(example:azure
[default], Federal, Germany ..). The names are expected to match go-lang sdk cloud names) - KeyVault Name:
required
- KeyVault Object Name:
required
- KeyVault Object Type:
required
- KeyVault Object Version:
optional
(empty
== latest version) - Use integrated identity.
optional
(Defaultfalse
(mode #1), true (mode #2)) - KeyVault Object Alias:
optional
by default keyvault objects are projected with their name, alias is to override the filename.
The flexvol is not expected to perform attach/detach instead it will do
mount
andunmount
only.
The flex vol driver will use the secret.ServicePrincipalName
and secret.ServicePrincipalPassword
with ADAL to acquire the
object from KeyVault. Flexvol driver will create the file at MNTPATH
as passed by kubernetes.
Note: the flexvol driver is expected to set the correct file permission on the object (TBD).
FlexVol (based on the usepodidentity
spec parameter) will instead call pod identity NMI
component with ADAL on a specific endpoint
offered only on host network.
spike: can we add more headers to this particular call to carry information such as pod name/namespace?