Use Case k8s Allowed Network Policy Vault Secrets GCP - GoogleCloudPlatform/anthos-appconfig GitHub Wiki

Use Case - Allowed Services (Network Policies) & Secrets Injection (Vault)

  • Namespace: uc-secrets-vault-k8s

We will use pubsub topic ACL’s to demonstrate the adding the secrets to the pod via a mutating webhook. At this point, the secret is available and protected by RBAC in the Controller workspace β€˜appconfigmgrv2-system’. Webhook copies the appropriate secret into the application namespace and adds it as a volume and as an Environment Variable (pointing to the volume mount) named GOOGLE_APPLICATION_CREDENTIALS as required by Google API’s.

gsutil cat  gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-secrets-vault-k8s/deploy-apps.yaml | kubectl apply -f -

*NOTE - will document vault in wiki

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq" app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq

Allowed Services View
Dev Service -> All
Svc 1 -> Svc 4, Pubsub
Svc 2 -> Svc 1, Svc 4
Svc 3 -> No One
Svc 4 -> Svc 2, Svc 3
External Access via NAT (open)

Svc 2 -> Svc 1 -> Outbound (Should Work)

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq&call2=http://app-secrets-vault-k8s-appconfigv2-service-sm-1/testcallseq&call3=https://httpbin.org/get"

Response (Success)


host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-7769c48764-mwl4v
host:hello-app-sm-py-1-76b8fb54f8-pkmkj
{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip, deflate",
    "Host": "httpbin.org",
    "User-Agent": "python-requests/2.22.0"
  },
  "origin": "35.184.53.199, 35.184.53.199",
  "url": "https://httpbin.org/get"
}

Svc 2 -> Svc 1 -> pubsub topic1 Outbound Should Work

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq&call2=http://app-secrets-vault-k8s-appconfigv2-service-sm-1/testcallseq&call3=http://app-secrets-vault-k8s-appconfigv2-service-pubsub?gcpProjectID=${PROJECT_NAME}&topic=appconfigcrd-demo-topic1&message=hello1"
gcloud pubsub subscriptions pull --auto-ack  appconfigcrd-demo-topic1 --page-size 20 --limit 20 --project $PROJECT_NAME


host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-65bb79f7d5-6sxlf
host:hello-app-sm-py-1-669578dd95-pqpnc
Publish Success: 608858688012712
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  DATA  β”‚    MESSAGE_ID   β”‚ ATTRIBUTES β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ hello1 β”‚ 608858688012712 β”‚            β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Try different topic (2) - also works due to roleset setup

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq&call2=http://app-secrets-vault-k8s-appconfigv2-service-sm-1/testcallseq&call3=http://app-secrets-vault-k8s-appconfigv2-service-pubsub?gcpProjectID=${PROJECT_NAME}&topic=appconfigcrd-demo-topic2&message=hello2"

gcloud pubsub subscriptions pull --auto-ack  appconfigcrd-demo-topic2 --page-size 20 --limit 20 --project $PROJECT_NAME


host:hello-app-drv-py-1-56998958f4-vz84t
host:hello-app-sm-py-2-54576b75c7-gjz8b
host:hello-app-sm-py-1-5dff48f945-zfz7k
Publish Success: 67158926176972