haopengzhan/k8s-ds-secret-injection
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f9456654585412a864b534bb30f6f7ac1c60cc8
k8s-ds-secret-injection/README.md
T

2.8 KiB
Raw Blame History

DaemonSet Secret Injector

A Kubernetes Mutating Webhook that automatically injects a unique, node-specific Secret into Pods belonging to a targeted DaemonSet.

Features

  • Automatic Injection: Intercepts Pod creation and injects a Secret volume and mount.
  • Node-Specific Data: Each Pod gets a unique Secret containing information relevant to the node it resides on.
  • Lifecycle Management: Automatically creates the Secret upon Pod creation and deletes it when the Pod is removed.
  • Node Authorizer Compatibility: Secret names are derived from the Pod name, ensuring predictable access control.

Architecture

  1. Mutating Webhook: Intercepts CREATE requests for Pods. It calculates the target Node name (from affinity or spec), generates a unique Pod name, creates a Secret, and patches the Pod spec to include the Secret volume.
  2. Pod Controller: Watches for Pod deletion events and cleans up the associated Secret from the namespace.
  3. Test Client: A helper utility that uses Node credentials (kubeconfig) to verify it can read the injected secret.
  4. Secret Manager: A CLI tool for managing Kubernetes Secrets from your local machine with automatic decoding. See cmd/secret-manager/README.md for details.

Getting Started

Prerequisites

  • Kubernetes cluster (GKE, EKS, Kind, etc.)
  • kubectl and docker
  • openssl (for certificate generation)

Configuration

The webhook is configured via command-line arguments in the deployment:

  • --target-namespace: The namespace to monitor (default: gps-system).
  • --target-daemonsets: Comma-separated list of DaemonSet names to inject.

Deployment

  1. Clone the repository.
  2. (Optional) Configure your registry: The default registry is set to git.pengzhan.dev/haopengzhan/k8s-ds-secret-injection. If you want to push to your own registry: 
    export REGISTRY=your-registry.com/your-username
  3. Build and Push images: If you are using the default public registry, you can skip the push step if the images are already there. To push your own images: 
    docker login git.pengzhan.dev
make push
  4. Setup Certificates: 
    # Create namespace first
kubectl apply -f deploy/namespace.yaml
# Generate and upload certs
make certs
  5. Deploy the system: 
    make deploy REGISTRY=$REGISTRY

Verification

Check the logs of the test DaemonSet pods to see the successful retrieval of the secret:

kubectl logs -n gps-system -l app=test-daemonset

You should see:

Successfully retrieved secret gps-system/test-daemonset-xxxxx
Key: secret-data, Value: unique-secret-for-test-daemonset-xxxxx-on-node-yyyyy

Cleanup

To remove all resources created by this project:

make clean
Reference in New Issue View Git Blame Copy Permalink