What is the Akeyless Vaultless® Platform and how does it work with Kubernetes?

The Akeyless Vaultless® Platform is a cloud-native secrets management solution that enables secure injection of secrets into Kubernetes applications. It uses a webhook to listen for events and inject an executable into containers inside a pod, which then requests secrets from Akeyless through annotations in your pod deployment file. This approach supports both 'init' and 'sidecar' container modes, allowing secrets to be injected at startup or updated dynamically during runtime. For more details, see the original blog post and technical documentation.

What problems does Akeyless solve for Kubernetes users?

Akeyless addresses several key challenges for Kubernetes users: (1) Kubernetes secrets are stored unencrypted, posing security risks; (2) Secret sprawl, where secrets are scattered across YAML files and repositories, increases the risk of leaks and operational bottlenecks; (3) The need for secrets injection without altering application code, supporting best practices like the Twelve-Factor App methodology. Akeyless centralizes secrets management, automates rotation, and enables secure injection via environment variables, reducing risk and complexity.

How does Akeyless inject secrets into Kubernetes pods?

Akeyless uses a webhook that listens for pod events and injects an executable into containers. This executable requests secrets from the Akeyless Vaultless® Platform based on annotations in the pod deployment file. There are two modes: 'init' container (injects secrets at startup) and 'sidecar' container (updates secrets dynamically during runtime). This allows for flexible secret management and supports use cases where secrets may change or applications require periodic re-authentication.

Does Akeyless support Kubernetes External Secrets and KMS integration?

Yes, Akeyless supports Kubernetes External Secrets and integration with Kubernetes KMS, enabling secure management and injection of secrets from external sources and key management systems into Kubernetes environments.

Where can I find technical documentation for Akeyless?

Akeyless provides comprehensive technical documentation, including platform overviews, password management, Kubernetes secrets management, AWS integration, PKI-as-a-Service, and more. Access these resources at docs.akeyless.io and tutorials.akeyless.io/docs.

Does Akeyless offer an API for integration?

Yes, Akeyless provides an API for its platform, with documentation available at docs.akeyless.io/docs. API Keys are supported for secure authentication of both human and machine identities.

What are the key features of Akeyless?

Akeyless offers Vaultless Architecture (no heavy infrastructure required), Universal Identity (solves the Secret Zero Problem), Zero Trust Access (granular permissions and Just-in-Time access), Automated Credential Rotation, centralized secrets management, cloud-native SaaS platform, and out-of-the-box integrations with AWS IAM, Azure AD, Jenkins, Kubernetes, and Terraform.

How does Akeyless help prevent secret sprawl and credential leakage?

Akeyless centralizes secrets management and automates credential rotation, eliminating hardcoded secrets and reducing the risk of leaks. Its Vaultless Architecture and Universal Identity features ensure secure authentication without storing initial access credentials, directly addressing secret sprawl and credential leakage.

What integrations does Akeyless support?

Akeyless supports out-of-the-box integrations with AWS IAM, Azure AD, Jenkins, Kubernetes, Terraform, and more. These integrations simplify adoption and enable seamless operations for DevOps workflows.

What security and compliance certifications does Akeyless have?

Akeyless holds several certifications, including ISO 27001, FIPS 140-2, CSA STAR, PCI DSS, and SOC 2 Type II. These certifications demonstrate Akeyless's commitment to robust security and regulatory compliance.

How does Akeyless protect sensitive data?

Akeyless uses patented encryption technologies to secure data in transit and at rest. The platform enforces Zero Trust Access with granular permissions and Just-in-Time access, minimizing standing privileges and reducing access risks. Audit and reporting tools track every secret for compliance and regulatory readiness.

How long does it take to implement Akeyless and how easy is it to get started?

Akeyless can be deployed in just a few days due to its SaaS-native architecture, requiring no infrastructure management. For specific use cases like deploying in OpenShift, setup can be completed in less than 2.5 minutes. Getting started is simple, with self-guided product tours, platform demos, tutorials, and 24/7 support available.

What feedback have customers given about the ease of use of Akeyless?

Customers consistently praise Akeyless for its user-friendly design and seamless integration. For example, Conor Mancone (Cimpress) noted, 'We set Akeyless up 9 months ago and we haven’t had to worry about credential rotation or leakage. All of our software just works—it’s been a really smooth, really easy process.' Shai Ganny (Wix) said, 'The simplicity of Akeyless has enhanced our operations and given us the confidence to move forward securely.'

What customer service and support options are available after purchasing Akeyless?

Akeyless offers 24/7 customer support via ticket submission or email. Proactive assistance is provided for upgrades and maintenance. Customers can also access a Slack support channel and extensive technical documentation and tutorials. For escalations, contact support_escalation@akeyless.io.

What training and technical support is available to help customers get started?

Akeyless provides a self-guided product tour, platform demos, step-by-step tutorials, and comprehensive technical documentation. 24/7 support and a Slack channel are available for troubleshooting and guidance. These resources ensure quick and effective adoption without requiring extensive technical expertise.

Who can benefit from using Akeyless?

Akeyless is designed for IT security professionals, DevOps engineers, compliance officers, and platform engineers across industries such as technology, finance, retail, manufacturing, and cloud infrastructure. Notable customers include Wix, Dropbox, Constant Contact, Cimpress, Progress Chef, TVH, Hamburg Commercial Bank, and K Health.

What industries are represented in Akeyless's case studies?

Akeyless's case studies showcase solutions in technology (Wix), cloud storage (Progress), web development (Constant Contact), and printing/mass customization (Cimpress).

Can you share specific case studies or success stories?

Yes, Akeyless has several published case studies: Constant Contact scaled in a multi-cloud, multi-team environment; Cimpress transitioned from Hashi Vault to Akeyless for enhanced security; Progress saved 70% of maintenance and provisioning time; Wix adopted Akeyless for centralized secrets management and Zero Trust Access.

What business impact can customers expect from using Akeyless?

Customers can expect enhanced security (Zero Trust Access, automated credential rotation), operational efficiency (centralized secrets management, streamlined workflows), cost savings (up to 70% reduction in maintenance and provisioning time), scalability (support for multi-cloud and hybrid environments), compliance (ISO 27001, SOC, FIPS 140-2), and improved employee productivity.

How does Akeyless compare to HashiCorp Vault?

Akeyless offers a Vaultless Architecture, eliminating the need for heavy infrastructure and reducing costs and complexity. It provides SaaS-based deployment, advanced security features like Zero Trust Access and automated credential rotation, and faster scalability compared to HashiCorp Vault's self-hosted model.

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, offers better integration across diverse environments, and provides advanced features like Universal Identity and Zero Trust Access. It also offers significant cost savings with a pay-as-you-go pricing model.

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, eliminating the need for multiple tools. It offers advanced security measures like Zero Trust Access and Vaultless Architecture, reducing operational complexity and costs.

Secrets Injection with Native Kubernetes Service Accounts Using Akeyless Vaultless® Platform

Posted by Fahmy Khadiri, Jeremy Hess
March 24, 2022

This post was written based on the work of Fahmy Khadiri, Technical Sales Account Manager at Akeyless, in his voice.

Introduction

In this blog post, I’ll be walking you through Kubernetes authentication and secrets injection using native Kubernetes constructs and the Akeyless Secrets Injection Webhook to fetch secrets from Akeyless Vaultless® Platform into your Kubernetes applications.

Agenda

In terms of the Agenda, here are the problems we’re solving:

Why you may not want to use Kubernetes secrets
How we are addressing this at Akeyless
Using Kubernetes authentication
A brief demo of the overall solution (video)

Most of the tools used for the demo are freely available and I’ve listed the prerequisites you’ll need so you can follow along.

What are the problems we are trying to solve?

The first question we want to tackle is, why this approach? Kubernetes has its own key store so why would we want to leverage an external secrets management system instead of using the built-in kubernetes secrets?

The short answer is that Kubernetes secrets have some limitations that make it a non-starter for many enterprise deployments.

Limitations of Kubernetes Secrets

First of all, Kubernetes secrets are stored unencrypted so anyone with basic access to the cluster can literally decode the value of the secrets within the Kubernetes backend storage.

Second, secret sprawl is a problem. You can easily have dozens of secrets stored within yaml files or repositories, and this creates bottlenecks and poses operational risks where those secrets can be inadvertently leaked or compromised.

Third, when it comes to development, there’s a methodology for building software-as-a-service apps called The Twelve-Factor App. It outlines a series of procedures for modern app development best practices, and one of those procedures is for the app not to have any state locally. Everything is provided to it in either environment variables or files.

The point is, when you embrace environment variables, and external files, and external persistent systems, then you end up with a more microservice-based architecture, and you’re able to have one single code base for all lifecycles just based on the environments that are coming in.

How this translates in Kubernetes is that we’re able to get to our end state of having secrets be injected in the environment variables without altering the application, or the application code, and so the developer doesn’t know what those secrets are, and doesn’t need to know what those secrets are. Only the application knows what those secrets are, at runtime.

How are we solving the problem?

Akeyless has a webhook that listens for events and injects an executable into containers inside a pod which then requests secrets from Akeyless Vaultless® Platform through annotations in your pod deployment file.

We have two operation modes of injecting secrets: ‘init’ and sidecar.

The first operation mode of secrets injection is the ‘init’ container. In this mode, secrets are pre-populated into a pod before an application starts, as part of the pod lifecycle. The webhook looks for annotations that correspond to a specific schema. It then adds the ‘init’ container that authenticates and does the work. The application then reads the secrets from Akeyless Vaultless® Platform through environment variables.

And so, at the moment of starting up the application, that’s when the application needs to read the environment variables. This happens right at startup.

The second operation mode of secrets injection is the sidecar container. In this mode, another container runs alongside the ‘init’ container. This sidecar mode has a few benefits, one of which is the ability to track changes of the secrets. We can configure the interval cycle of how frequently we look for any kind of changes to the secret itself and inject the secret into the file system of the pod.

This gives you the flexibility of addressing use cases where:

The secret could change
The application is long lasting and you want it to re-authenticate on a regular schedule to get the secret

It’s worth mentioning that we also have support for Kubernetes External Secrets and integration with Kubernetes KMS.

Kubernetes Auth

Here’s a sample architecture of the demo environment I’ll be walking you through.

On the very left hand side, I have a namespace called my-apps and I have two pods running in this namespace. One of the pods will have my ‘init’ annotations to fetch a static secret, and the other pod will have the sidecar annotation to fetch a dynamic secret from a mongo db deployment.

To the right of that I have the K8s injector namespace. This will be the dedicated namespace where we install our Kubernetes webhook injection service. As mentioned earlier, this webhook will listen for events and inject an executable inside a pod which will then fetch secrets from the Akeyless Vaultless® Platform.

Gateway token reviewer

Next, I have the default namespace, and this is where I’ve deployed the gateway token reviewer to authenticate our pods with Akeyless and assigned cluster role binding permissions to listen on all namespaces in the cluster.

In Kubernetes, the API server needs to authenticate every request it receives, we’re going to use the JWT authentication mechanism built into Kubernetes itself. Every Kubernetes cluster has its own JWT authentication, the JSON Web Token, which it uses to authenticate.

We know, based on Kubernetes itself, that every K8s service account has a JWT. So we can use this JWT for authentication, but we have to do it in a known and trusted way. Using something we created, we control, and we trust – because we’re the ones who created it.

And so, the first step here is to create our service account that we know and trust, which is going to be our trusted authority. Its job is to validate the JWT of any service accounts that talk to us and verify the service account is in that namespace.

The other thing we need to consider is that Kubernetes service accounts out of the box are scoped to a single namespace. We want the token reviewer to validate JWT tokens for other namespaces in the cluster, and so we need to give it extra permissions through the cluster role binding.

Next, there are additional pieces of information we need to extract such as the cluster host IP, the cluster issuer, and CA certificate which the gateway will use to communicate to the cluster.

An important point to mention here is that the cluster itself does not interact with the external SaaS directly. It utilizes the gateway as a trusted host for this cluster.

We’re dealing with sensitive information here, like the CA certificate and K8s issuer, so we need to ensure none of this information is exposed to the Akeyless SaaS. The customer Kubernetes cluster doesn’t have to be publicly reachable, it can be private as long as the gateway can interact with the cluster.

Finally, I have my gateway also installed in its own dedicated namespace.

Demo

Watch the full video, including the demo, below:

Table of Contents

Frequently Asked Questions

Product Information & Technical Details