vSphere credentials can be protected from being exposed as clear text by using Kubernetes
secrets instead of plain-text usernames and passwords in your
Config file changes
vsphere.conf file with
secret-namespace defined instead of
password as is detailed here.
[Global] secret-name = "vcconf" secret-namespace = "kube-system" port = "443" insecure-flag = "1" [VirtualCenter "10.0.1.200"] datacenters = "DC-1" [Workspace] server = "10.0.1.200" datacenter = "DC-1" default-datastore = "vsanDatastore" resourcepool-path = "ClusterNameHere/Resources" folder = "kubernetes" [Disk] scsicontrollertype = pvscsi
Encode the username and password
Launch the Kubernetes cluster with vSphere Cloud Provider configured as above.
base64 encoded strings for the username and password:
$ echo -n 'Administrator@vsphere.local' | base64 QWRtaW5pc3RyYXRvckB2c3BoZXJlLmxvY2Fs $ echo -n 'password' | base64 cGFzc3dvcmQ=
Create a K8s secret
Next, create a Kubernetes
secret with the
base64 encoded vCenter credentials.
credentials.yaml as shown below - replacing your vCenter IP address and
base64 strings from above, as appropriate. In the below example, the
secret name is
vcconf and matches what we put in the
secret-name section of
vsphere.conf file above.
apiVersion: v1 kind: Secret metadata: name: vcconf type: Opaque data: 10.0.1.200.username: QWRtaW5pc3RyYXRvckB2c3BoZXJlLmxvY2Fs 10.0.1.200.password: cGFzc3dvcmQ=
Import the secret definition into Kubernetes (note, we are importing into the
kube-system namespace, which must match the
secret-namespace section in the
vsphere.conf file from above):
kubectl create -f credentials.yaml --namespace=kube-system
The vSphere Cloud Provider will authenticate with the vCenter using the Kubernetes managed secret.
Using SAML auth
Note: vSphere credentials can also be encrypted using SAML token authentication, Please refer documentation for SAML token authentication using vCenter SSO API.