7322dd952b
Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
84 lines
4.7 KiB
Plaintext
84 lines
4.7 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Kubernetes
|
|
description: This section documents the official integration between Vault and Kubernetes.
|
|
---
|
|
|
|
# Kubernetes
|
|
|
|
Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart.
|
|
The Helm chart allows users to deploy Vault in various configurations:
|
|
|
|
- Dev: a single in-memory Vault server for testing Vault
|
|
- Standalone (default): a single Vault server persisting to a volume using the file storage backend
|
|
- High-Availability (HA): a cluster of Vault servers that use an HA storage backend such as Consul (default)
|
|
- External: a Vault Agent Injector server that depends on an external Vault server
|
|
|
|
## Use Cases
|
|
|
|
**Running a Vault Service:** The Vault server cluster can run directly on Kubernetes.
|
|
This can be used by applications running within Kubernetes as well as external to
|
|
Kubernetes, as long as they can communicate to the server via the network.
|
|
|
|
**Accessing and Storing Secrets:** Applications using the Vault service running in
|
|
Kubernetes can access and store secrets from Vault using a number of different
|
|
[secret engines](/vault/docs/secrets) and [authentication methods](/vault/docs/auth).
|
|
|
|
**Running a Highly Available Vault Service:** By using pod affinities, highly available
|
|
backend storage (such as Consul) and [auto-unseal](/vault/docs/concepts/seal#auto-unseal),
|
|
Vault can become a highly available service in Kubernetes.
|
|
|
|
**Encryption as a Service:** Applications using the Vault service running in Kubernetes
|
|
can leverage the [Transit secret engine](/vault/docs/secrets/transit)
|
|
as "encryption as a service". This allows applications to offload encryption needs
|
|
to Vault before storing data at rest.
|
|
|
|
**Audit Logs for Vault:** Operators can choose to attach a persistent volume
|
|
to the Vault cluster which can be used to [store audit logs](/vault/docs/audit).
|
|
|
|
**And more!** Vault can run directly on Kubernetes, so in addition to the
|
|
native integrations provided by Vault itself, any other tool built for
|
|
Kubernetes can choose to leverage Vault.
|
|
|
|
## Getting Started with Vault and Kubernetes
|
|
|
|
There are several ways to try Vault with Kubernetes in different environments.
|
|
|
|
### Guides
|
|
|
|
- [Vault Installation to Minikube via Helm with Integrated Storage](/vault/tutorials/kubernetes/kubernetes-minikube-raft) covers installing Vault locally using Minikube and the official Helm chart.
|
|
|
|
- [Vault Installation to Red Hat OpenShift via Helm](/vault/tutorials/kubernetes/kubernetes-openshift) covers installing Vault using Helm on Red Hat's OpenShift platform.
|
|
|
|
- [Integrate a Kubernetes Cluster with an External Vault](/vault/tutorials/kubernetes/kubernetes-external-vault) provides an example of making Vault accessible via a Kubernetes service and endpoint.
|
|
|
|
- [Vault on Kubernetes Deployment Guide](/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide) covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the [Vault on Kubernetes Reference Architecture](/vault/tutorials/kubernetes/kubernetes-reference-architecture).
|
|
|
|
### High Level Comparison of Integrations
|
|
|
|
There are currently 3 different integrations to help Kubernetes workloads seamlessly consume secrets from Vault, without the need to modify the application to interact directly with Vault. Each integration addresses slightly different use-cases. The following is a brief overview of the strengths of each integration.
|
|
|
|
#### Agent Injector
|
|
|
|
- No durable secret storage outside Vault. All secrets written to disk are in ephemeral in-memory volumes.
|
|
- No highly privileged service accounts required. All secrets are fetched with the pod's own service account without the need for any other service accounts to impersonate it.
|
|
- More mature solution, with proven production record and advanced features like templating,
|
|
wider array of auth methods, etc.
|
|
|
|
#### Vault Secrets Operator (public beta)
|
|
|
|
- More native UX for app developers. Workloads can mount Kubernetes secrets without adding any Vault-specific configuration.
|
|
- Reduced load on Vault. Secrets are synced per CRD instead of per consuming pod.
|
|
- Better Vault secret availability. Kubernetes secrets act as a durable cluster-local cache of Vault secrets.
|
|
|
|
#### Vault CSI Provider
|
|
|
|
- The CSI driver that the provider is based on is vendor neutral.
|
|
- No durable secret storage outside Vault if the secret sync feature isn't used. All secrets written to disk are in ephemeral in-memory volumes.
|
|
|
|
### Documentation
|
|
|
|
- [Vault on Kubernetes Reference Architecture](/vault/tutorials/kubernetes/kubernetes-reference-architecture) provides recommended practices for running Vault on Kubernetes in production.
|
|
|
|
- [Vault on Kubernetes Security Considerations](/vault/tutorials/kubernetes/kubernetes-security-concerns) provides recommendations specific to securely running Vault in a production Kubernetes environment.
|