Service Key Rotation
Cloud provider service keys can be used in various aspects of the Kubecost installation. This includes configuring integrating your cloud provider billing data with Kubecost, setting up multi-cluster environments, and backing up data. While automated IAM authentication via a Kubernetes service account like AWS IRSA is recommended, there are some scenarios where key-based authentication is preferred. When this method is used, rotating the keys at a pre-defined interval is a security best practice. Combinations of these features can be used, and therefore you may need to follow one or more of the below steps.
Adding cloud provider keys
There are multiple methods for adding cloud provider keys to Kubecost when configuring a cloud integration. This article will cover all three procedures. Be sure to use the same method that was used during the initial installation of Kubecost when rotating keys. See the Cloud Integrations doc for additional details.
The preferred and most common is via the multi-cloud cloud-integration.json Kubernetes secret.
The second method is to define the appropriate secret in Kubecost's values.yaml.
The final method to configure keys is via the Kubecost Settings page.
The primary sequence for setting up your key is:
Modify the appropriate Kubernetes secret, Helm value, or update via the Settings page.
Restart the Kubecost
cost-analyzer
pod.Verify the new key is working correctly. Any authentication errors should be present early in the
cost-model
container logs from thecost-analyzer
pod. Additionally, you can check the status of the cloud integration in the Kubecost UI via Settings > View Full Diagnostics.
Adding multi-cluster keys
There are two methods for enabling multi-clustering in Kubecost:
Depending on which method you are using, the key rotation process differs.
Federated-ETL
With Federated ETL objects, storage keys can be provided in two ways. The preferred method is using the secret defined by the Helm value .Values.kubecostModel.federatedStorageConfigSecret
.
Update the appropriate Kubernetes secret with the new key on each cluster.
Restart the Kubecost
cost-analyzer
pod.Restart the Kubecost
federator
pod.Verify the new key is working correctly by checking the
cost-model
container logs from thecost-analyzer
pod for any object storage authentication errors. Additionally, verify there are no object storage errors in thefederator
pod logs.
Thanos
Thanos federation makes use of the kubecost-thanos
Kubernetes secret as described here.
Update the
kubecost-thanos
Kubernetes secret with the new key on each cluster.Restart the
prometheus
server pod installed with Kubecost on all clusters (including the primary cluster) that write data to the Thanos object store. This will ensure the Thanos sidecar has the new key.On the primary Kubecost cluster, restart the
thanos-store
pod.Verify the new key is working correctly by checking the
thanos-sidecar
logs in theprometheus
server pods for authentication errors to ensure they are able to write new block data to the object storage.Verify the new key is working correctly by checking
thanos-store
pod logs on the primary cluster for authentication errors to ensure it is able to read block data from the object storage.
Last updated