ACK access credentials-阿里云帮助中心

In an ACK cluster, you can use three components—ack-secret-manager, csi-secrets-store-provider-alibabacloud, and ack-kms-agent-webhook-injector—to retrieve managed credentials from Key Management Service (KMS). The three components differ in supported cluster versions and access methods. Select the appropriate component based on your business requirements.

Component overview

ack-secret-manager: Imports or synchronizes secrets from the Secrets Manager of KMS to a cluster as Kubernetes Secret objects. This allows applications in the cluster to securely access sensitive data. A workload can then mount a specific Secret as a file system to use the secret.
csi-secrets-store-provider-alibabacloud: Imports or synchronizes secrets from the Secrets Manager of KMS to a cluster as Kubernetes Secret objects. This component also supports mounting secrets directly into an application as a file system by using CSI inline volumes, which is ideal for applications that read secrets from files.
ack-kms-agent-webhook-injector: Injects the KMS Agent as a sidecar container into your Pods. This allows your application to fetch secrets from KMS through the KMS Agent using a local HTTP interface and cache them in memory. This method avoids hardcoding sensitive information and enhances data security.

Use cases

Component	Supported clusters	Description	Related operations
ack-secret-manager	ACK managed cluster ACK dedicated cluster registered cluster ACK Serverless cluster	Supports Secret synchronization and update.	Use ack-secret-manager to import Alibaba Cloud KMS service credentials
csi-secrets-store-provider-alibabacloud	ACK clusters of version 1.20 and later: ACK managed cluster ACK dedicated cluster registered cluster	Supports Secret synchronization and update. Supports mounting credential secrets directly as file system volumes into applications via CSI Inline.	Import secrets from Alibaba Cloud KMS using csi-secrets-store-provider-alibabacloud
ack-kms-agent-webhook-injector	ACK clusters of version 1.22 and later: ACK managed cluster ACK dedicated cluster	Supports Secret synchronization and update. Supports retrieving credentials from a KMS instance via a local HTTP interface using the KMS Agent and caching them in memory.	Deploy KMS Agent in ACK to retrieve secrets, ACK cloud-native access

Billing

ack-secret-manager and csi-secrets-store-provider-alibabacloud are free to install and use, but they consume worker node resources after installation. You can configure the resource requests for each module during installation.
Using KMS Secrets Manager incurs charges. For more information, see Billing.