Fix Azure AKS Secret Csi Errors
When working with Azure AKS, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with secret csi and shows the exact fix.
A Common Mistake
Storing secrets in Kubernetes Secrets instead of using the Secrets Store CSI Driver with Azure Key Vault, exposing secrets in etcd.
The incorrect command:
kubectl create secret generic db-creds --from-literal=password=s3cret
Error output:
Secret stored in Kubernetes.
kubectl get secret db-creds -o yaml | grep password
password: czNjcmljdA== (base64 encoded, easily decoded)
Anyone with etcd access or kubectl get secrets can read the password.
The Correct Approach
The right way to configure secret csi in Azure AKS:
az aks enable-addons --addons azure-keyvault-secrets-provider --name my-aks --resource-group my-rg
kubectl apply -f - <<EOF
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: db-secrets
spec:
provider: azure
parameters:
usePodIdentity: true
keyvaultName: my-keyvault
objects: |
array:
- |
objectName: db-password
objectType: secret
EOF
Successful result:
Secrets Store CSI Driver installed.
kubectl describe pod my-app
Secrets from Key Vault are mounted as a volume. No sensitive data in etcd.
Key Vault is the source of truth for secrets.
How to Prevent This
Use Secrets Store CSI Driver for production secrets. Benefits: Key Vault as source of truth, automatic rotation, no secrets in etcd, audit logging. Supports: secrets, keys, certificates. Use managed identity or pod identity for Key Vault access.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro