New Secret Management options

[RafaPazos]

In the Secrets Management Chapter (https://github.com/Azure/sg-aks-workshop/blob/master/cluster-design/SecretManagement.md) we propose 4 options:

• Using the plain Kubernetes secrets model
• Using the plain Kubernetes secrets model but encrypt the data in etcd using Azure KeyVault and the KMS plugin for Azure Key Vault
• Using the plain Kubernetes secrets but storing encrypted values in the Kubernetes secrets which are only encrypted at runtime
• Using Azure KeyVault for storing secrets and certificates and mounting them into a Kubernetes volume using the KeyVault FlexVolume driver.

And indeed there is a fifth and recommended option based on managed identities:

https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#use-pod-managed-identities

Do you know if there is any issue with this option? If not, I would like to add it to the Secrets Management Chapter.

[kevingbb]

Hi @RafaPazos , great points. I guess the main reason that Pod Managed Identities were not added as an option is due to the fact that they are not really about storing secrets, but a means to accessing secrets. The point of the section was to talk about the different ways secrets could be stored. I guess one could argue that using pod managed identities to access secrets stored in AKV is another option.

To your question about if there is any issue with the option? The answer is no. If you take a look in the Deploy App section you will see that we do just that for accessing the keys stored in AKV: https://github.com/Azure/sg-aks-workshop/tree/master/deploy-app#adding-in-secrets-mgmt