LastPass Provider for Secrets Store CSI Driver
An experimental LastPass provider for Kubernetes Secrets Store CSI Driver.
Background
As explained in this KubeCon talk, there are 4 different approaches in K8s to consume secrets from external secret stores:
- Direct API
- Controller to mirrors secrets in K8s
- Sidecar + MutatingWebhookConfiguration
- Secrets Store CSI Driver
This repo implements the last approach for the external secret store LastPass
.
Features
- Mount any LastPass items (e.g. passwords, secure notes, SSH keys) into Pods as a Volume.
- Sync as K8s Secret object: Mirror the mounted LastPass items into K8s Secret objects.
- Auto rotation: When items are updated in LastPass after the initial pod deployment, they will be periodically updated in the pod mount and the K8s Secret objects.
Usage
- Define the items you want to fetch from LastPass in examples/secret-provider-class.yml.
LASTPASS_USERNAME=<my-user> LASTPASS_MASTERPASSWORD=<my-password> ./examples/demo-kind.sh
Design
Comparing the design of this LastPass provider to
it resembles most Service Principle Mode in Azure Key Vault meaning
- LastPass username and master password (to authenticate to LastPass) need to be created as a K8s Secret which is stored (by default) as plaintext in etcd.
- Username and master password is the only supported way to connect to LastPass because LastPass does not support authentication using a K8s Service Account Token.
Troubleshooting
If you have issues running above example, run
kubectl -n default describe pods/mypod
kubectl -n kube-system logs -l app=secrets-store-csi-driver-provider-lastpass
kubectl -n kube-system logs -l app.kubernetes.io/instance=csi-secrets-store
If logs show
failed to authenticate with LastPass server" err="unifiedloginresult: Try again OR look for an email from LastPass to verify it's you."
check your inbox for e-mails with the subject LastPass Verification Email
to verify the new location or device.
You can disable e-mail verification in LastPass Chrome extension Account Settings
-> General
-> Show Advanced Settings
-> Disable Email Verification
.
Notes
- Although two-factor authentication works, it should be disabled (unless you want to manually approve push notifications).
- There is a paid plan called "LastPass Identity". With this plan, you can create a separate machine user and assign this user an IP policy that allowlists the public IP addresses of the K8s nodes blocking all other IP addresses by default. You can also allowlist the DNS name of the K8s nodes (based on reverse DNS lookup of their IP addresses). This adds security given that two-factor authentication is disabled.