SlideShare a Scribd company logo

Secrets in Kubernetes

Q
Qvik

Presentation by Jerry Jalava, Senior System Architect, Google Developer Expert, Authorised Trainer at Qvik. It was held at "DevOps and Security" -meetup on the 5th of April 2016 at RedHat. Source is available at: https://github.com/jerryjj/devsec_050416

1 of 25
Download to read offline
Senior System Architect, Google
Developer Expert, Authorised Trainer
SECRETS IN KUBERNETES
JERRY JALAVA
JERRY@QVIK.FI | @W_I
WHAT SECRETS DO
APPLICATIONS HAVE?
QUESTION
@QVIK
COMMON SECRETS
‣ Database credentials
‣ API credentials & endpoints (Twitter, FB,
etc.)
‣ Infrastructure API credentials (Google,
AWS, Azure)
‣ Private (TLS) Keys (careful here)
‣ Etc.
@QVIKPhotos: CC0 License, https://www.pexels.com
I’LL JUST INCLUDE THEM
WITH MY CODE…
WELL, EASY ENOUGH…
@QVIK
DON’T!
@QVIK
JUST AS AN EXAMPLE
Dev put AWS keys on Github.
Bots are crawling all over GitHub seeking secret keys…
"When I woke up the next morning, I had emails and a
missed phone call from Amazon AWS - ~140 servers
running on my AWS account"
- a developer served with a $2,375 Bitcoin mining bill
http://www.theregister.co.uk/
@QVIKPhotos: CC0 License, https://www.pexels.com

Recommended

New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaGiragadurai Vallirajan
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Server deployment
Server deploymentServer deployment
Server deploymentbsadd
 
Kubernetes security and you
Kubernetes security and youKubernetes security and you
Kubernetes security and youKarthik Gaekwad
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Spring Cloud and Netflix Components
Spring Cloud and Netflix ComponentsSpring Cloud and Netflix Components
Spring Cloud and Netflix ComponentsDharshan Sastry B N
 
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native EraNATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Erawallyqs
 

More Related Content

What's hot

Building Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSSBuilding Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSSSemih Hakkıoğlu
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsMatthew Barker
 
Microservices and Container Management with NGINX Plus and Mesosphere DC/OS
Microservices and Container Management with NGINX Plus and Mesosphere DC/OSMicroservices and Container Management with NGINX Plus and Mesosphere DC/OS
Microservices and Container Management with NGINX Plus and Mesosphere DC/OSNGINX, Inc.
 
Key features of rails 5.2 (2)
Key features of rails 5.2 (2)Key features of rails 5.2 (2)
Key features of rails 5.2 (2)Namrata Ukirde
 
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
Monitoring Highly Dynamic and Distributed Systems with NGINX AmplifyMonitoring Highly Dynamic and Distributed Systems with NGINX Amplify
Monitoring Highly Dynamic and Distributed Systems with NGINX AmplifyNGINX, Inc.
 
Automating MySQL Deployments on Kubernetes
Automating MySQL Deployments on KubernetesAutomating MySQL Deployments on Kubernetes
Automating MySQL Deployments on KubernetesPresslabs
 
Kubernetes HA @ AppDirect - Montreal Kubernetes Meetup
Kubernetes HA @ AppDirect - Montreal Kubernetes MeetupKubernetes HA @ AppDirect - Montreal Kubernetes Meetup
Kubernetes HA @ AppDirect - Montreal Kubernetes Meetupalexgervais
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesNeependra Khare
 
How to Build Your First Web App in Go
How to Build Your First Web App in GoHow to Build Your First Web App in Go
How to Build Your First Web App in GoAll Things Open
 
Google Cloud Platform for DeVops, by Javier Ramirez @ teowaki
Google Cloud Platform for DeVops, by Javier Ramirez @ teowakiGoogle Cloud Platform for DeVops, by Javier Ramirez @ teowaki
Google Cloud Platform for DeVops, by Javier Ramirez @ teowakijavier ramirez
 
Azure container service overview
Azure container service overviewAzure container service overview
Azure container service overviewShabbir Akolawala
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 
Database, data storage, hosting with Firebase
Database, data storage, hosting with FirebaseDatabase, data storage, hosting with Firebase
Database, data storage, hosting with FirebaseTu Pham
 
MJ Berends talk - Women & Non-Binary Focused Intro to AWS
 MJ Berends talk - Women & Non-Binary Focused Intro to AWS MJ Berends talk - Women & Non-Binary Focused Intro to AWS
MJ Berends talk - Women & Non-Binary Focused Intro to AWSAWS Chicago
 
Virtualization at Gilt - Rangarajan Radhakrishnan
Virtualization at Gilt - Rangarajan RadhakrishnanVirtualization at Gilt - Rangarajan Radhakrishnan
Virtualization at Gilt - Rangarajan RadhakrishnanDatadog
 
Webinar - Big Data: Let's SMACK - Jorg Schad
Webinar - Big Data: Let's SMACK - Jorg SchadWebinar - Big Data: Let's SMACK - Jorg Schad
Webinar - Big Data: Let's SMACK - Jorg SchadCodemotion
 
Microservices with Netflix OSS and Spring Cloud
Microservices with Netflix OSS and Spring CloudMicroservices with Netflix OSS and Spring Cloud
Microservices with Netflix OSS and Spring Cloudacogoluegnes
 
EKS security best practices
EKS security best practicesEKS security best practices
EKS security best practicesJohn Varghese
 

What's hot (20)

Building Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSSBuilding Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSS
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - Highlights
 
CloudStack Clients and Tools
CloudStack Clients and ToolsCloudStack Clients and Tools
CloudStack Clients and Tools
 
Microservices and Container Management with NGINX Plus and Mesosphere DC/OS
Microservices and Container Management with NGINX Plus and Mesosphere DC/OSMicroservices and Container Management with NGINX Plus and Mesosphere DC/OS
Microservices and Container Management with NGINX Plus and Mesosphere DC/OS
 
Key features of rails 5.2 (2)
Key features of rails 5.2 (2)Key features of rails 5.2 (2)
Key features of rails 5.2 (2)
 
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
Monitoring Highly Dynamic and Distributed Systems with NGINX AmplifyMonitoring Highly Dynamic and Distributed Systems with NGINX Amplify
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
 
Automating MySQL Deployments on Kubernetes
Automating MySQL Deployments on KubernetesAutomating MySQL Deployments on Kubernetes
Automating MySQL Deployments on Kubernetes
 
Kubernetes HA @ AppDirect - Montreal Kubernetes Meetup
Kubernetes HA @ AppDirect - Montreal Kubernetes MeetupKubernetes HA @ AppDirect - Montreal Kubernetes Meetup
Kubernetes HA @ AppDirect - Montreal Kubernetes Meetup
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
 
How to Build Your First Web App in Go
How to Build Your First Web App in GoHow to Build Your First Web App in Go
How to Build Your First Web App in Go
 
Google Cloud Platform for DeVops, by Javier Ramirez @ teowaki
Google Cloud Platform for DeVops, by Javier Ramirez @ teowakiGoogle Cloud Platform for DeVops, by Javier Ramirez @ teowaki
Google Cloud Platform for DeVops, by Javier Ramirez @ teowaki
 
Azure container service overview
Azure container service overviewAzure container service overview
Azure container service overview
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
Database, data storage, hosting with Firebase
Database, data storage, hosting with FirebaseDatabase, data storage, hosting with Firebase
Database, data storage, hosting with Firebase
 
MJ Berends talk - Women & Non-Binary Focused Intro to AWS
 MJ Berends talk - Women & Non-Binary Focused Intro to AWS MJ Berends talk - Women & Non-Binary Focused Intro to AWS
MJ Berends talk - Women & Non-Binary Focused Intro to AWS
 
Virtualization at Gilt - Rangarajan Radhakrishnan
Virtualization at Gilt - Rangarajan RadhakrishnanVirtualization at Gilt - Rangarajan Radhakrishnan
Virtualization at Gilt - Rangarajan Radhakrishnan
 
Webinar - Big Data: Let's SMACK - Jorg Schad
Webinar - Big Data: Let's SMACK - Jorg SchadWebinar - Big Data: Let's SMACK - Jorg Schad
Webinar - Big Data: Let's SMACK - Jorg Schad
 
Microservices with Netflix OSS and Spring Cloud
Microservices with Netflix OSS and Spring CloudMicroservices with Netflix OSS and Spring Cloud
Microservices with Netflix OSS and Spring Cloud
 
EKS security best practices
EKS security best practicesEKS security best practices
EKS security best practices
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 

Similar to Secrets in Kubernetes

Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
Bitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by KubernetesBitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by KubernetesNathan Burrell
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...tdc-globalcode
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesQAware GmbH
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to KubernetesVishal Biyani
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Netflix oss season 1 episode 3
Netflix oss season 1 episode 3 Netflix oss season 1 episode 3
Netflix oss season 1 episode 3 Ruslan Meshenberg
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 

Similar to Secrets in Kubernetes (20)

Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
Bitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by KubernetesBitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by Kubernetes
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Netflix oss season 1 episode 3
Netflix oss season 1 episode 3 Netflix oss season 1 episode 3
Netflix oss season 1 episode 3
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWS
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 

More from Qvik

Design System Ops
Design System OpsDesign System Ops
Design System OpsQvik
 
Real-time Image Sharing
Real-time Image SharingReal-time Image Sharing
Real-time Image SharingQvik
 
Serverless with Firebase
Serverless with FirebaseServerless with Firebase
Serverless with FirebaseQvik
 
Qvik "4000 mobile concept project" 2015
Qvik "4000 mobile concept project" 2015Qvik "4000 mobile concept project" 2015
Qvik "4000 mobile concept project" 2015Qvik
 
Mobiilin maailman murros
Mobiilin maailman murrosMobiilin maailman murros
Mobiilin maailman murrosQvik
 
Oma mobiiliapplikaatio – pitkä oppimäärä lyhyesti
Oma mobiiliapplikaatio – pitkä oppimäärä lyhyestiOma mobiiliapplikaatio – pitkä oppimäärä lyhyesti
Oma mobiiliapplikaatio – pitkä oppimäärä lyhyestiQvik
 
Personalization in mobile services
Personalization in mobile servicesPersonalization in mobile services
Personalization in mobile servicesQvik
 

More from Qvik (7)

Design System Ops
Design System OpsDesign System Ops
Design System Ops
 
Real-time Image Sharing
Real-time Image SharingReal-time Image Sharing
Real-time Image Sharing
 
Serverless with Firebase
Serverless with FirebaseServerless with Firebase
Serverless with Firebase
 
Qvik "4000 mobile concept project" 2015
Qvik "4000 mobile concept project" 2015Qvik "4000 mobile concept project" 2015
Qvik "4000 mobile concept project" 2015
 
Mobiilin maailman murros
Mobiilin maailman murrosMobiilin maailman murros
Mobiilin maailman murros
 
Oma mobiiliapplikaatio – pitkä oppimäärä lyhyesti
Oma mobiiliapplikaatio – pitkä oppimäärä lyhyestiOma mobiiliapplikaatio – pitkä oppimäärä lyhyesti
Oma mobiiliapplikaatio – pitkä oppimäärä lyhyesti
 
Personalization in mobile services
Personalization in mobile servicesPersonalization in mobile services
Personalization in mobile services
 

Recently uploaded

Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfMostafa Higazy
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...htrindia
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Product School
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaISPMAIndia
 
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)François
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Product School
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolProduct School
 
Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotelPhilippines
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxInfosec
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...Neo4j
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?MENGSAYLOEM1
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor FesenkoFwdays
 
Launching New Products In Companies Where It Matters Most by Product Director...
Launching New Products In Companies Where It Matters Most by Product Director...Launching New Products In Companies Where It Matters Most by Product Director...
Launching New Products In Companies Where It Matters Most by Product Director...Product School
 

Recently uploaded (20)

Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdf
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
 
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product School
 
Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company Profile
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptx
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko
 
Launching New Products In Companies Where It Matters Most by Product Director...
Launching New Products In Companies Where It Matters Most by Product Director...Launching New Products In Companies Where It Matters Most by Product Director...
Launching New Products In Companies Where It Matters Most by Product Director...
 

Secrets in Kubernetes

  • 1. Senior System Architect, Google Developer Expert, Authorised Trainer SECRETS IN KUBERNETES JERRY JALAVA JERRY@QVIK.FI | @W_I
  • 2. WHAT SECRETS DO APPLICATIONS HAVE? QUESTION @QVIK
  • 3. COMMON SECRETS ‣ Database credentials ‣ API credentials & endpoints (Twitter, FB, etc.) ‣ Infrastructure API credentials (Google, AWS, Azure) ‣ Private (TLS) Keys (careful here) ‣ Etc. @QVIKPhotos: CC0 License, https://www.pexels.com
  • 4. I’LL JUST INCLUDE THEM WITH MY CODE… WELL, EASY ENOUGH… @QVIK
  • 6. JUST AS AN EXAMPLE Dev put AWS keys on Github. Bots are crawling all over GitHub seeking secret keys… "When I woke up the next morning, I had emails and a missed phone call from Amazon AWS - ~140 servers running on my AWS account" - a developer served with a $2,375 Bitcoin mining bill http://www.theregister.co.uk/ @QVIKPhotos: CC0 License, https://www.pexels.com
  • 7. I’LL JUST INCLUDE THEM IN MY CONTAINER… WELL, EASY ENOUGH… @QVIK
  • 9. DOCKER is about transportable and executable code. Containers can be inspected, exported and published publicly. Putting sensitive material inside Docker Container is NOT a good idea. @QVIK
  • 10. THE TWELVE-FACTOR APP ‣ http://12factor.net/ ‣ Methodology for building software-as-a-service apps, collection of best practises ‣ Suggests following: ‣ Store config in the environment ‣ config is everything that is likely to vary between deploys @QVIK
  • 11. KUBERNETES (K8s) ‣ Ancient Greek for “pilot” or “helmsman”; root of the English word “governor” ‣ Orchestrator for containers ‣ Supports multi-cloud environments ‣ Started by Google ‣ Open source ‣ Manage applications, not machines @QVIK
  • 12. MAIN COMPONENTS PODS Ephemeral units used to manage 1-n tightly coupled containers LABELS Metadata attached to objects such as Pods. Enable organization and selection of objects REPLICATION CONTROLLERS Manages requested number of Pod “replicas” from defined template 1 2 3 SERVICES Low overhead load- balancing of requests to set of Pods based on Labels 4 @QVIK
  • 14. WHAT ARE THEY? ‣ K8s Secret-objects are first-class citizens in the ecosystem ‣ Designed to hold all kinds of sensitive information in safe and flexible way. ‣ They can be used by Pods (FS & Env) and the underlying kubelet when pulling images @QVIK
  • 15. PROS ‣ Secrets can be mounted as data volumes or be exposed as environment variables to be used by a container in a pod ‣ A secret is only sent to a node if a pod on that node requires it ‣ Secret data on nodes is stored in tmpfs volumes and thus does not come to rest on the node ‣ Communication between user to the api-server, and from api-server to the kubelets, is protected by SSL/TLS @QVIK
  • 16. CONS ‣ In the API server secret data is stored as plaintext in etcd, therefore: ‣ Administrators should limit access to etcd to admin users ‣ Secret data in the API server is at rest on the disk that etcd uses (wipe/shred disks when not used) ‣ It is not possible currently to control which users of a K8s cluster can access a secret (Support planned) ‣ It is still possible to accidentally push the Secrets definition to version control @QVIK
  • 17. GOTCHAS ‣ A Secret needs to be created before any pods that depend on it ‣ Individual secrets are limited to 1MB in size ‣ They can only be referenced by pods in same namespace ‣ Once a pod is started, its secret volumes will not change, even if the secret resource is modified ‣ It is not possible currently to check what resource version of a secret object was used when a pod was created (planned feature) ‣ The key must be formatted as DNS subdomain (leading dots allowed), with max length of 253 characters @QVIK
  • 18. EXAMPLES ‣ echo "admin" > ./username.txt && echo "1f2d1e2e67df" > ./ password.txt ‣ kubectl create secret generic db-user-pass --from-file=./ username.txt --from-file=./password.txt ‣ echo "admin" | base64 ‣ kubectl create -f ./mysecret.yaml @QVIK
  • 21. WHAT ARE THEY? ‣ key-value pairs of configuration data ‣ Similar to Secrets, but designed to more conveniently support working with strings that do not contain sensitive information ‣ Can be used to store fine-grained information like individual properties or coarse-grained information like entire config files or JSON blobs @QVIK