This document discusses Kubernetes Secrets and the Sealed Secrets open source project. It begins with an overview of Kubernetes Secrets and common issues. It then covers the history, architecture, and basic workflow of Sealed Secrets. Key metrics about the popularity and usage of Sealed Secrets are provided. Advanced features are described along with best practices for secret management. The presentation concludes with a recommendation to favor simple secret approaches and automate processes.
2. Agenda
Kubernetes Secrets
Models & Common issues
Sealed Secrets OSS
History, OSS project, philosophy, GitOps, Architecture & base use case
Basic flow & Advanced Sealed Secrets features
Use cases & best practices
Demo time
Beyond Sealed Secret
3. 3
Sealed Secrets maintainers
Meet the team!
Alejandro Moreno
github.com/alemorcuq
Alfredo García
github.com/agarcia-oss
José Luis Vázquez
github.com/josvazg
Alvaro Neira
github.com/alvneiayu
Harsh Sharma
Nisha Kumari
github.com/harshshar
ma071988
github.com/Nisha-kumari
5. 5
Kubernetes Secrets
How do they look like?
Kubernetes Secrets are native Resource Definitions designed to hold secret data.
But they are not encrypted, they need to be ready to be consumed by Pods.
7. 7
Kubernetes Secrets
Types
Secret Type Use case
Opaque Arbitrary user-defined secrets, as in previous example.
kubernetes.io/service-account-token ServiceAccount token
kubernetes.io/dockercfg Serialized ~/.dockercfg file
kubernetes.io/dockerconfigjson Serialized ~/.docker/config.json file
kubernetes.io/basic-auth Credentials for basic authentication
kubernetes.io/ssh-auth Credentials for SSH authentication
kubernetes.io/tls Data for a TLS client or server
bootstrap.kubernetes.io/token Bootstrap token data
10. 10
15+ years building and maintaining software packages
Bitnami is a Catalog of Free Open-Source Software
Local Cloud Data Center
Over 180 applications, components, frameworks, templates, and more, including…
Any Environment Any Format Any Platform
Virtual Machines Containers Deployment
Templates
11. 11
We were there…
Pioneering from installers to Cloud Native
2003
2008
2012
2015
2017
…when software was
growing
… when amazon was
just a bookstore
... when clouds were
forming
… when containers
were just for devs
… when Kubernetes
was plain hard
12. 12
Sealed Secrets as an OSS project
Main features
Sealed Secrets CLI (kubeseal) to
seal Kubernetes Secrets.
The Sealed Secrets controller
unseals Sealed Secrets into their
equivalent Kubernetes Secrets.
Sealed Secrets can be stored
safely in the code repository,
next to the rest of deployment
configuration.
Kubeseal - CLI tool Kubernetes controller Code repository
Sealed Secrets: Simple, safe & popular GitOps flow for secrets with 3 components:
13. 13
Key metrics
Sealed Secrets as an OSS project
6.1K GitHub
stars
80M monthly
downloads
+10K OSS
projects using
Sealed Secrets
702 Pull
Requests
389 solved
issues
14. 14
Sealed Secrets as an OSS project
More metrics…
Sealed Secrets is downloaded 20x times
more often than other key applications on
the security ecosystem.
More metrics
19. 19
Secret management best practices
General advice
Rotate Secrets
Remember to rotate your
secrets often, so not need
to worry about re-sealing
them.
Least privilege
Follow the least privilege
principle on secret
access, reduce blast
radius.
Don't leak your keys
Don't leak your keys, the
less you share or copy
them around the better.
20. 20
Key Management
Under the hood
kubeseal ${SECRET}
Sealed
Secret
Git
sealed-secrets controller
Older
TLS
Sealing
Secret
TLS
Sealing
Secret
Kubernetes cluster
etcd node
Create
Keep
● Key pairs are plain TLS secrets named sealed-secrets-...
○ They are managed by Sealed Secrets so you don't need to.
Certificate
/ pub key
21. 21
Sometimes, defaults don't cut
it or something doesn't go as
planned
Compromised unseal key
You must move the controller to a new sealing keypair.
Then rotate your secrets, they are also compromised.
Taking over secrets
You can annotate sealed secrets to control existing
secrets.
Updating secrets
kubeseal allows you to update or append sealed secrets
keys.
Offline certs
By default kubeseal uses the latest cluster sealing
certificate for you. But you can set a certificate to be used
offline, if you really need to.
Advanced features
Use as needed
22. 22
It might be difficult to realize
how simple and safe the
basic flow is…
…Until you compare with
other flows enabled by
advanced features or
options.
Scoping
Secrets are sealed for a particular secret name and
namespace by default.
Relaxing scoping means cluster neighbours can take a
peek.
Re-sealing
Sealing keys are renovated every 30 days by default, but
old keys are kept.
But you can reseal the same secret again with the newer
sealing key, if needed. Still why would you need it if you
were rotating your secrets as you should?
Sealing keys are just secrets
You can manage them on the side, but should you?
Advanced features
Use with caution!
25. 25
Standalone Sealed Secrets is good,
with GitOps friends is even better!
The best practice with Sealed
secrets is to stick to its default
flow.
Favour simple approaches
Automate Everything
Beyond Sealed Secrets
Parting words
kubeseal ${SECRET}
Sealed
Secret
Git
sealed-secrets controller
kube-apiserver
Sealed
Secret
Secret
Kubernetes cluster
etcd node
kubectl apply
Detect
Sealed Secrets
Decrypt
Secret