Introduction

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from secret manager to pod, secret, and configmap. The motive of creating this project is to provide a dynamic secret injection to containers/pods running inside Kubernetes from different secret managers for enhanced security.

Documentation is available here:- https://ot-container-kit.github.io/k8s-vault-webhook/ (opens new window)

The secret managers which are currently supported:-

• Hashicorp Vault (opens new window)
• AWS Secret Manager (opens new window)
• Azure Key Vault (opens new window)
• GCP Secret Manager (opens new window)

Supported Features

• Authentication to Hashicorp vault using Kubernetes service-account
• RBAC implementation of vault using different policies of vault and association of policy with service-account
• Inject secret directly to pods/containers running inside Kubernetes
• Inject secret directly to pods/containers from AWS Secret Manager
• Authentication with AWS Secret Manager with access key and iam role
• Support regex to inject all secrets from a certain path of Vault
• Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable

Architecture