SlideShare a Scribd company logo

Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernetes desde 2017.pdf

A
Alfredo García Lavilla

This document discusses Kubernetes Secrets and the Sealed Secrets open source project. It begins with an overview of Kubernetes Secrets and common issues. It then covers the history, architecture, and basic workflow of Sealed Secrets. Key metrics about the popularity and usage of Sealed Secrets are provided. Advanced features are described along with best practices for secret management. The presentation concludes with a recommendation to favor simple secret approaches and automate processes.

Technology
1 of 26
Download to read offline
Sealed Secrets: protegiendo tus Secretos de Kubernetes desde 2017 José Luis Vázquez González Alfredo García
Agenda Kubernetes Secrets Models & Common issues Sealed Secrets OSS History, OSS project, philosophy, GitOps, Architecture & base use case Basic flow & Advanced Sealed Secrets features Use cases & best practices Demo time Beyond Sealed Secret
3 Sealed Secrets maintainers Meet the team! Alejandro Moreno github.com/alemorcuq Alfredo García github.com/agarcia-oss José Luis Vázquez github.com/josvazg Alvaro Neira github.com/alvneiayu Harsh Sharma Nisha Kumari github.com/harshshar ma071988 github.com/Nisha-kumari
Kubernetes Secrets Models & Common Issues
5 Kubernetes Secrets How do they look like? Kubernetes Secrets are native Resource Definitions designed to hold secret data. But they are not encrypted, they need to be ready to be consumed by Pods.
6 Kubernetes Secrets And then you encrypted them… right?
7 Kubernetes Secrets Types Secret Type Use case Opaque Arbitrary user-defined secrets, as in previous example. kubernetes.io/service-account-token ServiceAccount token kubernetes.io/dockercfg Serialized ~/.dockercfg file kubernetes.io/dockerconfigjson Serialized ~/.docker/config.json file kubernetes.io/basic-auth Credentials for basic authentication kubernetes.io/ssh-auth Credentials for SSH authentication kubernetes.io/tls Data for a TLS client or server bootstrap.kubernetes.io/token Bootstrap token data
8 Secret Management Options Different models and tradeoffs Native Kubernetes Secrets KMS systems Sealed Secrets Hybrid models
Sealed Secrets OSS Backstory & Status of the Open Source Project
10 15+ years building and maintaining software packages Bitnami is a Catalog of Free Open-Source Software Local Cloud Data Center Over 180 applications, components, frameworks, templates, and more, including… Any Environment Any Format Any Platform Virtual Machines Containers Deployment Templates
11 We were there… Pioneering from installers to Cloud Native 2003 2008 2012 2015 2017 …when software was growing … when amazon was just a bookstore ... when clouds were forming … when containers were just for devs … when Kubernetes was plain hard
12 Sealed Secrets as an OSS project Main features Sealed Secrets CLI (kubeseal) to seal Kubernetes Secrets. The Sealed Secrets controller unseals Sealed Secrets into their equivalent Kubernetes Secrets. Sealed Secrets can be stored safely in the code repository, next to the rest of deployment configuration. Kubeseal - CLI tool Kubernetes controller Code repository Sealed Secrets: Simple, safe & popular GitOps flow for secrets with 3 components:
13 Key metrics Sealed Secrets as an OSS project 6.1K GitHub stars 80M monthly downloads +10K OSS projects using Sealed Secrets 702 Pull Requests 389 solved issues
14 Sealed Secrets as an OSS project More metrics… Sealed Secrets is downloaded 20x times more often than other key applications on the security ecosystem. More metrics
15 Sealed Secrets as an OSS project Domain Monthly downloads % of total downloads microsoft.com 22,122,490 47.98% google.com 17,605,812 38.18% amazon.com 3,459,777 7.54% 21vbluecloud.com 605,663 1.31% monaco-telecom.mc 480,258 1.04% beeksfinancialcloud.com 279,665 0.66% pulsepoint.com 269,564 0.58% huaweicloud.com 234,600 0.50% softlayer.com 169,501 0.36% digitalocean.com 137,255 0.29%
16 Sealed Secrets as an OSS project
Basic flow & Advanced Sealed Secrets features Use cases & best practices
18 Sealed Secrets Basic flow How it works kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
19 Secret management best practices General advice Rotate Secrets Remember to rotate your secrets often, so not need to worry about re-sealing them. Least privilege Follow the least privilege principle on secret access, reduce blast radius. Don't leak your keys Don't leak your keys, the less you share or copy them around the better.
20 Key Management Under the hood kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller Older TLS Sealing Secret TLS Sealing Secret Kubernetes cluster etcd node Create Keep ● Key pairs are plain TLS secrets named sealed-secrets-... ○ They are managed by Sealed Secrets so you don't need to. Certificate / pub key
21 Sometimes, defaults don't cut it or something doesn't go as planned Compromised unseal key You must move the controller to a new sealing keypair. Then rotate your secrets, they are also compromised. Taking over secrets You can annotate sealed secrets to control existing secrets. Updating secrets kubeseal allows you to update or append sealed secrets keys. Offline certs By default kubeseal uses the latest cluster sealing certificate for you. But you can set a certificate to be used offline, if you really need to. Advanced features Use as needed
22 It might be difficult to realize how simple and safe the basic flow is… …Until you compare with other flows enabled by advanced features or options. Scoping Secrets are sealed for a particular secret name and namespace by default. Relaxing scoping means cluster neighbours can take a peek. Re-sealing Sealing keys are renovated every 30 days by default, but old keys are kept. But you can reseal the same secret again with the newer sealing key, if needed. Still why would you need it if you were rotating your secrets as you should? Sealing keys are just secrets You can manage them on the side, but should you? Advanced features Use with caution!
Demo time!
Beyond Sealed Secrets
25 Standalone Sealed Secrets is good, with GitOps friends is even better! The best practice with Sealed secrets is to stick to its default flow. Favour simple approaches Automate Everything Beyond Sealed Secrets Parting words kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
github.com/bitnami-labs/sealed-secrets

Recommended

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyAlfredo García Lavilla
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed SecretsKnoldus Inc.
 
Kubernetes Sealed secrets
Kubernetes Sealed secretsKubernetes Sealed secrets
Kubernetes Sealed secretsSebastien Goasguen
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationKnoldus Inc.
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 

Recommended

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyAlfredo García Lavilla
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed SecretsKnoldus Inc.
 
Kubernetes Sealed secrets
Kubernetes Sealed secretsKubernetes Sealed secrets
Kubernetes Sealed secretsSebastien Goasguen
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationKnoldus Inc.
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWSKasun Madura Rathnayaka
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Prasta Maha
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesJames Anderson
 
SHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSSHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSNETUserGroupBern
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessAkeyless
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesQvik
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Kubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelKubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelOVHcloud
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Secrets acrosscloudk8s
Secrets acrosscloudk8sSecrets acrosscloudk8s
Secrets acrosscloudk8sJhonnatan Gil
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 

More Related Content

Similar to Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernetes desde 2017.pdf

Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Prasta Maha
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesJames Anderson
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessAkeyless
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesQvik
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Kubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelKubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelOVHcloud
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Secrets acrosscloudk8s
Secrets acrosscloudk8sSecrets acrosscloudk8s
Secrets acrosscloudk8sJhonnatan Gil
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 

Similar to Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernetes desde 2017.pdf (20)

Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
 
SHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSSHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPS
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
Kubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelKubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next level
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
 
Secrets acrosscloudk8s
Secrets acrosscloudk8sSecrets acrosscloudk8s
Secrets acrosscloudk8s
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 

Recently uploaded

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfOverkill Security
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiRaviKumarDaparthi
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 

Recently uploaded (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 

Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernetes desde 2017.pdf

  • 1. Sealed Secrets: protegiendo tus Secretos de Kubernetes desde 2017 José Luis Vázquez González Alfredo García
  • 2. Agenda Kubernetes Secrets Models & Common issues Sealed Secrets OSS History, OSS project, philosophy, GitOps, Architecture & base use case Basic flow & Advanced Sealed Secrets features Use cases & best practices Demo time Beyond Sealed Secret
  • 3. 3 Sealed Secrets maintainers Meet the team! Alejandro Moreno github.com/alemorcuq Alfredo García github.com/agarcia-oss José Luis Vázquez github.com/josvazg Alvaro Neira github.com/alvneiayu Harsh Sharma Nisha Kumari github.com/harshshar ma071988 github.com/Nisha-kumari
  • 5. 5 Kubernetes Secrets How do they look like? Kubernetes Secrets are native Resource Definitions designed to hold secret data. But they are not encrypted, they need to be ready to be consumed by Pods.
  • 6. 6 Kubernetes Secrets And then you encrypted them… right?
  • 7. 7 Kubernetes Secrets Types Secret Type Use case Opaque Arbitrary user-defined secrets, as in previous example. kubernetes.io/service-account-token ServiceAccount token kubernetes.io/dockercfg Serialized ~/.dockercfg file kubernetes.io/dockerconfigjson Serialized ~/.docker/config.json file kubernetes.io/basic-auth Credentials for basic authentication kubernetes.io/ssh-auth Credentials for SSH authentication kubernetes.io/tls Data for a TLS client or server bootstrap.kubernetes.io/token Bootstrap token data
  • 8. 8 Secret Management Options Different models and tradeoffs Native Kubernetes Secrets KMS systems Sealed Secrets Hybrid models
  • 9. Sealed Secrets OSS Backstory & Status of the Open Source Project
  • 10. 10 15+ years building and maintaining software packages Bitnami is a Catalog of Free Open-Source Software Local Cloud Data Center Over 180 applications, components, frameworks, templates, and more, including… Any Environment Any Format Any Platform Virtual Machines Containers Deployment Templates
  • 11. 11 We were there… Pioneering from installers to Cloud Native 2003 2008 2012 2015 2017 …when software was growing … when amazon was just a bookstore ... when clouds were forming … when containers were just for devs … when Kubernetes was plain hard
  • 12. 12 Sealed Secrets as an OSS project Main features Sealed Secrets CLI (kubeseal) to seal Kubernetes Secrets. The Sealed Secrets controller unseals Sealed Secrets into their equivalent Kubernetes Secrets. Sealed Secrets can be stored safely in the code repository, next to the rest of deployment configuration. Kubeseal - CLI tool Kubernetes controller Code repository Sealed Secrets: Simple, safe & popular GitOps flow for secrets with 3 components:
  • 13. 13 Key metrics Sealed Secrets as an OSS project 6.1K GitHub stars 80M monthly downloads +10K OSS projects using Sealed Secrets 702 Pull Requests 389 solved issues
  • 14. 14 Sealed Secrets as an OSS project More metrics… Sealed Secrets is downloaded 20x times more often than other key applications on the security ecosystem. More metrics
  • 15. 15 Sealed Secrets as an OSS project Domain Monthly downloads % of total downloads microsoft.com 22,122,490 47.98% google.com 17,605,812 38.18% amazon.com 3,459,777 7.54% 21vbluecloud.com 605,663 1.31% monaco-telecom.mc 480,258 1.04% beeksfinancialcloud.com 279,665 0.66% pulsepoint.com 269,564 0.58% huaweicloud.com 234,600 0.50% softlayer.com 169,501 0.36% digitalocean.com 137,255 0.29%
  • 16. 16 Sealed Secrets as an OSS project
  • 17. Basic flow & Advanced Sealed Secrets features Use cases & best practices
  • 18. 18 Sealed Secrets Basic flow How it works kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
  • 19. 19 Secret management best practices General advice Rotate Secrets Remember to rotate your secrets often, so not need to worry about re-sealing them. Least privilege Follow the least privilege principle on secret access, reduce blast radius. Don't leak your keys Don't leak your keys, the less you share or copy them around the better.
  • 20. 20 Key Management Under the hood kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller Older TLS Sealing Secret TLS Sealing Secret Kubernetes cluster etcd node Create Keep ● Key pairs are plain TLS secrets named sealed-secrets-... ○ They are managed by Sealed Secrets so you don't need to. Certificate / pub key
  • 21. 21 Sometimes, defaults don't cut it or something doesn't go as planned Compromised unseal key You must move the controller to a new sealing keypair. Then rotate your secrets, they are also compromised. Taking over secrets You can annotate sealed secrets to control existing secrets. Updating secrets kubeseal allows you to update or append sealed secrets keys. Offline certs By default kubeseal uses the latest cluster sealing certificate for you. But you can set a certificate to be used offline, if you really need to. Advanced features Use as needed
  • 22. 22 It might be difficult to realize how simple and safe the basic flow is… …Until you compare with other flows enabled by advanced features or options. Scoping Secrets are sealed for a particular secret name and namespace by default. Relaxing scoping means cluster neighbours can take a peek. Re-sealing Sealing keys are renovated every 30 days by default, but old keys are kept. But you can reseal the same secret again with the newer sealing key, if needed. Still why would you need it if you were rotating your secrets as you should? Sealing keys are just secrets You can manage them on the side, but should you? Advanced features Use with caution!
  • 25. 25 Standalone Sealed Secrets is good, with GitOps friends is even better! The best practice with Sealed secrets is to stick to its default flow. Favour simple approaches Automate Everything Beyond Sealed Secrets Parting words kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret