Bank-Vaults Introduction

Márk Sági-Kazár

2023-09-06 @ CNCF TAG Security weekly


Márk Sági-Kazár

Open Source Tech Lead @ Cisco

CNCF Ambassador

Bank-Vaults core maintainer



Kubernetes secret management is tricky

  • Secret distribution
  • Secret storage
  • Managing access to secrets

Secret distribution

  • Synchronize secrets to Kubernetes from central store (External Secrets)
  • Inject secrets into containers (Bank-Vaults)
  • Load secrets directly from store by the application (store specific SDKs)


Banzai Cloud

Mission: Help companies with digital transformation

Solution: All-in-one platform to run containerized applications

Enterprises need solutions to specific problems

Bank-Vaults was born

  • It was part of the platform initially
  • “Run your app, we will take care of secret management”
  • Bank-Vaults became an independent project (2018)
    • Manage Hashicorp Vault on Kubernetes
    • Inject secrets directly into pods
  • It quickly became our most popular Open Source project


  • Bank-Vaults CLI
  • Vault Operator
  • Secret injection webhook
  • Vault Go SDK
  • …more coming

Bank-Vaults CLI

  • CLI tool to configure Vault
  • Init, unseal, configure
  • Declarative configuration in YAML
  • Advanced features, like HSM and KMS for unsealing

Vault Operator

  • Operate Vault on Kubernetes
  • Manage unsealing and configuration using Bank-Vaults CLI

Secret injection webhook

  • Mutate pods: inject a binary into containers
  • Replace vault:path/to/secret formatted strings in env vars/files
  • Many more features (inject vault token, mutate secrets/configmaps, etc)


Community & adoption

  • Used at several companies in production
  • Vibrant community on Slack
  • Several external contributors
  • Roadmap is driven by community feedback

Future plans

  • Secret synchronization between stores
  • Broaden secret store support (where applicable)
  • WASM provider support

Thank you

Any questions?