Comments (6)
BadLiveware
commented on May 31, 2024
2
Additionally, the CSI driver works seamlessly with istio while the injector fails unless configured to exclude the port used by the sidecar to talk to vault.
from vault-csi-provider.
tomhjp
commented on May 31, 2024
1
Hi @michael-bowen-sc, welcome to the project! And good question. We plan to support both going forwards, though the Vault Agent injector is more mature technically. So which you choose is a matter of trading off the capabilities and stability you need, and of course there are also security model and deployment-specific considerations. The biggest considerations that come to mind for me are:
- The injector containers run as the consuming pod's service account, whereas CSI needs permission to create a bound service account token to impersonate any consuming pod's service account [security]
- CSI requires writeable hostPath volumes to communicate with the driver and write to the pod's volume (the latter will be removed in a later version) [security]
- Only CSI can sync to k8s secrets [capability]
- The injector has been much more widely deployed and tested in real production environments as of today [stability]
- CSI deploys as a daemonset, whereas injector adds containers to each consuming pod, so CSI will normally have fewer containers [deployment]
I would love to hear the community's input on how important each of these points are, and whether I've missed other stuff.
from vault-csi-provider.
tomhjp
commented on May 31, 2024
One additional point on stability, as stated in the readme, the Vault CSI provider currently depends on alpha Kubernetes APIs and the Secrets Store CSI driver itself is currently alpha. There is a milestone on the driver project working towards stability here: https://github.com/kubernetes-sigs/secrets-store-csi-driver/milestone/5.
This project is currently supported as a Beta product, but relies on Alpha Kubernetes APIs and the CSI secrets store driver which is also Alpha. Where possible we will provide upgrade paths and deprecation notices for future releases, but cannot guarantee a stable API.
from vault-csi-provider.
sidewinder12s
commented on May 31, 2024
Thanks for the rundown, I think itβd be really great to get this and content from the recent blog post into the project readmes, as this was the first question I had after seeing the CSI driver project.
https://www.hashicorp.com/blog/retrieve-hashicorp-vault-secrets-with-kubernetes-csi
from vault-csi-provider.
tomhjp
commented on May 31, 2024
Couple of updates on this:
- We'll be working on some comparison documentation for vaultproject.io soon
- There is also now a blog directly comparing the two here
from vault-csi-provider.
tomhjp
commented on May 31, 2024
Thanks for the input all. We've now added a comparison on our documentation site here: https://www.vaultproject.io/docs/platform/k8s/injector-csi
from vault-csi-provider.
Related Issues (20)
- volume mode "Ephemeral" not supported by driver secrets-store.csi.k8s.io (no CSIDriver object) HOT 7
- Docker image not uploaded to ECR public HOT 2
- Running Cloud Control Manager in vcluster HOT 1
- Failed to mount vault secrets store objects through Container Storage Interface (CSI) Volume HOT 2
- Vault provider not found , inter cluster connection . HOT 1
- Vulnerabilites in v1.2.0 of vault-csi-provider image HOT 1
- Permission denied when trying to access secret from vault on another kubernetes cluster . HOT 2
- Use the sync to secret feature without a pod mount? HOT 1
- Implicit mapping of secrets / objects - SecretProviderClass HOT 2
- vault-csi-provider Pod throws cannot unmarshal !!map into []config.Secret HOT 2
- Feature request: Ability to consume entire secret data rather than just a single key
- Extra fields
- Can the dynamic secrets auto renew as long as the pod is alive HOT 8
- Updating the values in the KV Secrets Engine HOT 1
- mounting from Vault fails with "invalid role name" HOT 2
- Support for AppRole auth method
- User vault-csi-provider cannot create resource serviceaccounts token
- "aud" claim should be list, not string HOT 4
- Lease cache not working for PKI engine HOT 5
- Need to release new version as crypto CVE is fixed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-csi-provider.