Thank you so much for making this, its been really helpful, also just to add to anyone wondering, if ur creating ur application in a seperate namespace make sure u create the service account in that particular namespace too and not in defualt namespace.
Hello, thank you for your great video! I would like to know if it’s possible to use a CSI storage driver in my EKS cluster without configuring the OIDC provider for the cluster. Specifically, I want to rely solely on the IAM roles of the worker nodes and add the necessary permissions to retrieve secrets from Secrets Manager through those roles. I understand that this may not be the most secure option, as all pods on the worker nodes would inherit the permissions of the worker nodes.
@kodeKloud , I'm wondering, How is it safe when the password is saved in plain text inside the pod. Anyone with read access , who can read the k8s secret can also read the pod's volume. Correct me if I'm wrong.
The pod has to have the credentials / authorization in order to connect to other services, a DB for an instance. So, if you have access to the pod which connects to a DB, you have access to the DB, with the same privileges given to the pod.
I have done as it is it worked 🎉, but I have try with multiple node group in same cluster like node-dev and node-qa, with different secret manager but iam not able to access in one node, in node-dev group instance are running.. but in node-qa group instance are not running.. with same configuration ( I have cross check twice) Check with secret store log that are not mounted, it's not able to retrieve secret from Secret manager error like "Failed to fetch secret from all regions"
@kodeKloud, How can we use secrets from secret manager into our on-premise kubernetes cluster which is setup using kubeadm?? We want to use Secret store CSI Driver to inject secret into pod from secret manager. I have find a lot but not getting anything, please help.
Great information, looks like with this implementation it won't be possible to use the secrets as env variables, instead I will need to indicate my app to fetch the secrets from a file, and monitor when the secret's value changes, correct?
I think you should re-read the documentation. I'm pretty sure once a sealed-secret is applied to a cluster, it's stored as a regular k8s secret that's base64 encoded. Sealed-secrets is just for securely storing the secret in a git repo.
🚀Explore Our Top Courses & Special Offers: kode.wiki/40SkWyU
Looked at many videos to understand AWS Secrets, CSI drivers and Storage Class. This is the Best tutorial on this topic I had found till date.
Very well done. So far I used ASM. so thats my fav.
What a great demo and some troubleshooting
My fav is Hashicorp vault!
Thank you so much for making this, its been really helpful, also just to add to anyone wondering, if ur creating ur application in a seperate namespace make sure u create the service account in that particular namespace too and not in defualt namespace.
Excellent Excellent Excellent.....simply excellent....thanks a lot Sir.....
Top notch content
Helpful video. Saved my day
That was one fantastic demo, many thanks.
Hello, thank you for your great video! I would like to know if it’s possible to use a CSI storage driver in my EKS cluster without configuring the OIDC provider for the cluster. Specifically, I want to rely solely on the IAM roles of the worker nodes and add the necessary permissions to retrieve secrets from Secrets Manager through those roles. I understand that this may not be the most secure option, as all pods on the worker nodes would inherit the permissions of the worker nodes.
@kodeKloud , I'm wondering, How is it safe when the password is saved in plain text inside the pod. Anyone with read access , who can read the k8s secret can also read the pod's volume. Correct me if I'm wrong.
The pod has to have the credentials / authorization in order to connect to other services, a DB for an instance.
So, if you have access to the pod which connects to a DB, you have access to the DB, with the same privileges given to the pod.
I have done as it is it worked 🎉, but I have try with multiple node group in same cluster like node-dev and node-qa, with different secret manager but iam not able to access in one node, in node-dev group instance are running.. but in node-qa group instance are not running.. with same configuration ( I have cross check twice)
Check with secret store log that are not mounted, it's not able to retrieve secret from Secret manager error like "Failed to fetch secret from all regions"
Is that anyways to configure webhook so that whenever something changed to secret manager it should notify to csi
Perfect. Kudos sir!
Thank you kindly!
@kodeKloud, How can we use secrets from secret manager into our on-premise kubernetes cluster which is setup using kubeadm?? We want to use Secret store CSI Driver to inject secret into pod from secret manager. I have find a lot but not getting anything, please help.
this video is a high quality stuff, thanks a lot, great !
Is there any way to inject secret value as env variable inside the pod without creating kubernetes secrets??
perfect!
Great information, looks like with this implementation it won't be possible to use the secrets as env variables, instead I will need to indicate my app to fetch the secrets from a file, and monitor when the secret's value changes, correct?
Excellent video!!!
Nice video!!! Thanks Sanjeev
Hi you'r video looks great
can you please explain how can i use the value in the pod env section ?
Thank you
Maybe it would be only possible set a secret from the mounted file as an env variable within pod's container(s).
This is one of the reasons to sync as a kubernetes secret.
This is great demo.. I have a question. Is there any way to create configMap instead of secret..
yes good question , Curenntly agrocd supports with restarts pods .
So helpfull
Thank you!
sealed secret is my favorite since the secret is never stored in plain text on a file system.
I think you should re-read the documentation. I'm pretty sure once a sealed-secret is applied to a cluster, it's stored as a regular k8s secret that's base64 encoded. Sealed-secrets is just for securely storing the secret in a git repo.
saviour
Great....
link for all yaml files
who are you? you're not even a real person, it's like you created an AI instead of hiring someone to make this video.
haha.. 😄he is co-tutor of kodeCloud and he works with Mumshad Mannambeth
Nice one !
We are glad that you have enjoyed your learning experience with us : )