Skip to content

Instantly share code, notes, and snippets.

View kube2iam.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: kube2iam
namespace: kube-system
labels:
app: kube2iam
spec:
template:
metadata:
View deployment.yaml
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: kube-kms-example
namespace: default
labels:
app: kube-kms-example
spec:
replicas: 2
View node-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::{AccountId}:role/k8s/*"
}
View Dockerfile.kube-kms-example
FROM alpine:3.5
RUN apk add --update bash curl && rm -rf /var/cache/apk/*
# Install shush
RUN curl -sL -o /usr/local/bin/shush \
https://github.com/realestate-com-au/shush/releases/download/v1.3.0/shush_linux_amd64 \
&& chmod +x /usr/local/bin/shush
# Add a user so that we're not running our executables as root.
View secrets.yaml
KMS_ENCRYPTED_DB_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHd4xDeWtNSGUWMyqOf7h6cAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM7tDQv7h73zQftY5tAgEQgCTlI1uXcgBrNdvsBoXb2ytkkya+VJRHl2zZWMW5qzheJ2YKeSg="
KMS_ENCRYPTED_DB_USER: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAHrz68itBGQ6jgbmK6HgzDRAAAAYTBfBgkqhkiG9w0BBwagUjBQAgEAMEsGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMJj0q65b8KZo4sRY6AgEQgB7cksi/tq9lmyQtBh4uK6HfmyoMHIMm+a72gu4o8Qo="
KMS_ENCRYPTED_API_KEY: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAFobUiYON7DRYoe3ZtSC5nNAAAAZzBlBgkqhkiG9w0BBwagWDBWAgEAMFEGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMSsYpPDJvAnRITyNsAgEQgCREj7SdmKYG7gX+JOMJfYG4ILnujd0ZLfXYrJcxrTy4XTCkTzU="
KMS_ENCRYPTED_SERVICE_PASSWORD: "AQICAHj5jPUgYWAnjEXVeSvtg98gusmUcncxTb1pg+/p9W6NOAElX/reSqpDqhuY1RgYaQ72AAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMy8al1te4FCu+pdEjAgEQgCNlNfdZamx7R5cHhX6uQSFRCsaIx58lN2bA97wQlhtRAQYPuw=="
View feed-secrets-to-shush.sh
#!/bin/bash
file_location=$1
kms_key=$2
display_usage() {
echo "Usage: $0 <file-with-secrets> <kms-key-alias>"
exit 1
}
View install-shush
curl -sL -o /usr/local/bin/shush \
https://github.com/realestate-com-au/shush/releases/download/v1.3.0/shush_linux_amd64 \
&& chmod +x /usr/local/bin/shush
View kms.yaml
AWSTemplateFormatVersion: 2010-09-09
Resources:
# KMS Key which we'll be using to encrypt our environment variables
Key:
Type: AWS::KMS::Key
Properties:
Description: kube-kms-example application secrets key
KeyPolicy:
Version: 2012-10-17
Id: allow-root-access-to-key
View secrets.txt
DB_PASSWORD=foobar123
DB_USER=foo
API_KEY=12345abcd
SERVICE_PASSWORD=bbaabb45
View pod-with-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
  name: container-with-secrets
spec:
  containers:
  - name: container-with-secrets
  image: redis
  env:
  - name: SECRET_PASSWORD
You can’t perform that action at this time.