SlideShare a Scribd company logo

Secrets Management and Delivery to Kubernetes Pods

S
Satish Devarapalli

We are building an application platform that is made up of ~20 microservices. Different microservices have the need to use different types of secrets (passwords, API keys, license keys, RSA keys, etc.) and these secrets are given to us by different internal/external teams. The presentation covered the need to manage secrets as code and the challenges that comes with it. One approach of solving this using Git, AWS KMS, Mozilla SOPS, Kubernetes Secrets and Helm Charts was presented.

Technology
1 of 27
Download to read offline
Secrets Management and Delivery to Kubernetes Pods Satish Devarapalli
$whoami Satish Devarapalli Cloud Platform Architect @devasat https://www.linkedin.com/in/satish-devarapalli-48a82a5/
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
Project Intro Product auth 𝞵 svc𝞵 svc ... Application Secrets ● Database Credentials ● AWS Credentials ● API Keys ● License Keys ● Encryption Keys CI/CD Secrets ● AWS Credentials ● Kube Config Files ● Encryption Keys
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ● Encryption keys management ○ Different encryption keys for environments ○ Centralized access → do not store keys locally ○ Audit usage ○ Limit key access to individual members based on environment ○ Grant and revoke access easily ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
Secrets Delivery Pipeline AWS KMSdec enc Mozilla SOPS + Dev QA Prod AWS KMS decenc Mozilla SOPS + Jenkins job runs inside a container Helm install Helm install Helm install Helm chart versions: env-config-1.0.0-101-af837dh env-config-1.0.0-102-x7jwy62
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
AWS KMS - Envelope Encryption Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html
Mozilla Secret OPerationS (SOPS) ~ > export SOPS_KMS_ARN="arn:aws:kms:us-east-1:212121:key/3434-c5f1-4040 ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html SOPS Generates 256-bit data key secret-values .dec.yaml SOPS_KMS_ARN secret-values .enc.yaml AWS Boundary
Mozilla Secret OPerationS (SOPS) secret-values.dec.yaml secret-values.enc.yaml
Mozilla Secret OPerationS (SOPS) secret-values.enc.yaml = data + encryption information Data Encryption Key ID Base64 encoded value of Encrypted Data key Message Authentication Code Prevents File Tampering JSON and YAML keys are not encrypted
Mozilla SOPS - Key Providers Microsoft Azure Key Vault SOPS_AZURE_KEYVAULT_URL Google Cloud KMS SOPS_GCP_KMS_IDS AWS KMS SOPS_KMS_ARN PGP SOPS_PGP_FP
● Supported types: JSON, YAML and Binary ● Special support for JSON and YAML files ○ Encrypts only the values ○ File extension is used to determine the type ■ secret-values.yaml.enc → binary file ■ Secret-values.enc.yaml → yaml file ○ Some YAML types (anchors, streams, top-level arrays) are not supported Mozilla SOPS - File Types Input file is treated as blob Key fingerprint Encrypted data key
Mozilla SOPS - Multiple Master Keys Shared Services Global Master Key DEV QA PROD DEV QA PROD Business Unit 1 Business Unit 2Multiple Master Key Uses: - Encryption key in master AWS account - Encryption keys in different regions - Encryption keys in different key providers (hybrid cloud) - PGP key (stored offline)
Mozilla SOPS - .sops.yaml Filename path passed to sops is matched against this regex dev/secret-values.enc.yaml ✔ dev/secret-values.dec.yaml ✔ dev/aws-credentials.dec ✔ dev/aws-credentials ❌
Mozilla SOPS - .sops.yaml At root directory ~> sops -i -e dev/secret-values.enc.yaml ✔ ~> cd dev && sops -i -e secret-values.enc.yaml ❌
Option 1: in-place edit ● Data key doesn’t change ● Only the key value that was modified appears in the git diff Mozilla SOPS - Edit Files ~ > export EDITOR=vi ~ > sops -i secret-values.enc.yaml
Option 2: decrypt and encrypt ● Data key changes ● All key values appears to have changed in git diff Mozilla SOPS - Edit Files ~ > #Decrypt ~ > sops -d secret-values.enc.yaml > secret-values.dec.yaml ~ > #Encrypt ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml
Mozilla SOPS - Diffs in Cleartext in Git ~ > cat ~/.gitattributes *.enc diff=sopsdiffer *.enc.yaml diff=sopsdiffer *.enc.json diff=sopsdiffer .gitattributes ~ > grep -A1 sops ~/.gitconfig [diff "sopsdiffer"] textconv = "sops -d" .gitconfig In my testing, this worked if .sops.yaml is at the root directory of the git project and regex expression is based on the filename but not directory name dev/secret-values.enc.yaml → dev-secret-values.enc.yaml
Mozilla SOPS - Demo ● Install SOPS ● Create and export GPG keys ● Set up .sops.yaml, folder per environment and encrypt input file ● In-place edit
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
Jenkins /jenkins/job1/ws Memory Jenkins job in a container /build /ws tmpfs bind ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes → AWS KMS ○ Secrets should not be left in plain text format on build success or failure → Docker tmpfs ○ Store encrypted kube config files and AWS credentials in Git → AWS KMS Decrypted files are stored only in /build directory Jenkins Access: - ECR - KMS - S3
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it Secrets Management Requirements
Limit Secrets Access to Microservices Separate Secret object for each credential + {{ if .Values.secret1Enabled }} - name: {{ .Values.secret.secret1 }} secret: secretName: {{ .Values.secret.secret1 }} {{ end }} +secret1Enabled: true secret2Enabled: false Helm’s values.yaml Helm’s Deployment.yaml
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it ✔ Secrets Management Requirements
Questions ?

Recommended

Zookeeper Architecture
Zookeeper ArchitectureZookeeper Architecture
Zookeeper ArchitecturePrasad Wali
 
Securing and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSecuring and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSaim Safder
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformMichael O'Sullivan
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes ArchitectureKnoldus Inc.
 
클라우드 컴퓨팅 기반 기술과 오픈스택(Kvm) 기반 Provisioning
클라우드 컴퓨팅 기반 기술과 오픈스택(Kvm) 기반 Provisioning 클라우드 컴퓨팅 기반 기술과 오픈스택(Kvm) 기반 Provisioning
클라우드 컴퓨팅 기반 기술과 오픈스택(Kvm) 기반 Provisioning Ji-Woong Choi
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with KubernetesEastBanc Tachnologies
 

Recommended

Zookeeper Architecture
Zookeeper ArchitectureZookeeper Architecture
Zookeeper ArchitecturePrasad Wali
 
Securing and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSecuring and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSaim Safder
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformMichael O'Sullivan
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes ArchitectureKnoldus Inc.
 
클라우드 컴퓨팅 기반 기술과 오픈스택(Kvm) 기반 Provisioning
클라우드 컴퓨팅 기반 기술과 오픈스택(Kvm) 기반 Provisioning 클라우드 컴퓨팅 기반 기술과 오픈스택(Kvm) 기반 Provisioning
클라우드 컴퓨팅 기반 기술과 오픈스택(Kvm) 기반 Provisioning Ji-Woong Choi
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with KubernetesEastBanc Tachnologies
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
멀티 클라우드 시대의 정보보호 관리체계
멀티 클라우드 시대의 정보보호 관리체계멀티 클라우드 시대의 정보보호 관리체계
멀티 클라우드 시대의 정보보호 관리체계Logpresso
 
GitOps is IaC done right
GitOps is IaC done rightGitOps is IaC done right
GitOps is IaC done rightChen Cheng-Wei
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsAraf Karsh Hamid
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansiblesriram_rajan
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment StrategiesAbdennour TM
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
Kubernetes and service mesh application
Kubernetes and service mesh applicationKubernetes and service mesh application
Kubernetes and service mesh applicationThao Huynh Quang
 
Best Practices with Azure & Kubernetes
Best Practices with Azure & KubernetesBest Practices with Azure & Kubernetes
Best Practices with Azure & KubernetesMicrosoft Tech Community
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introductionJason Vance
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Amazon Web Services
 
Introduction To Terraform
Introduction To TerraformIntroduction To Terraform
Introduction To TerraformSasitha Iresh
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes VMware Tanzu
 
Build real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with ConfluentBuild real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with Confluentconfluent
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLuke Marsden
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsEueung Mulyana
 
Creating your Hybrid Cloud with AWS -Technical 201
Creating your Hybrid Cloud with AWS -Technical 201Creating your Hybrid Cloud with AWS -Technical 201
Creating your Hybrid Cloud with AWS -Technical 201Amazon Web Services
 
Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Janakiram MSV
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsWinWire Technologies Inc
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...AWS Chicago
 

More Related Content

What's hot

Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
멀티 클라우드 시대의 정보보호 관리체계
멀티 클라우드 시대의 정보보호 관리체계멀티 클라우드 시대의 정보보호 관리체계
멀티 클라우드 시대의 정보보호 관리체계Logpresso
 
GitOps is IaC done right
GitOps is IaC done rightGitOps is IaC done right
GitOps is IaC done rightChen Cheng-Wei
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsAraf Karsh Hamid
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansiblesriram_rajan
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment StrategiesAbdennour TM
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
Kubernetes and service mesh application
Kubernetes and service mesh applicationKubernetes and service mesh application
Kubernetes and service mesh applicationThao Huynh Quang
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introductionJason Vance
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Amazon Web Services
 
Introduction To Terraform
Introduction To TerraformIntroduction To Terraform
Introduction To TerraformSasitha Iresh
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes VMware Tanzu
 
Build real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with ConfluentBuild real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with Confluentconfluent
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLuke Marsden
 
Creating your Hybrid Cloud with AWS -Technical 201
Creating your Hybrid Cloud with AWS -Technical 201Creating your Hybrid Cloud with AWS -Technical 201
Creating your Hybrid Cloud with AWS -Technical 201Amazon Web Services
 
Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Janakiram MSV
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsWinWire Technologies Inc
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 

What's hot (20)

Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
멀티 클라우드 시대의 정보보호 관리체계
멀티 클라우드 시대의 정보보호 관리체계멀티 클라우드 시대의 정보보호 관리체계
멀티 클라우드 시대의 정보보호 관리체계
 
GitOps is IaC done right
GitOps is IaC done rightGitOps is IaC done right
GitOps is IaC done right
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansible
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment Strategies
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
Kubernetes and service mesh application
Kubernetes and service mesh applicationKubernetes and service mesh application
Kubernetes and service mesh application
 
Best Practices with Azure & Kubernetes
Best Practices with Azure & KubernetesBest Practices with Azure & Kubernetes
Best Practices with Azure & Kubernetes
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
 
Introduction To Terraform
Introduction To TerraformIntroduction To Terraform
Introduction To Terraform
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
 
Build real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with ConfluentBuild real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with Confluent
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service Mesh
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
Creating your Hybrid Cloud with AWS -Technical 201
Creating your Hybrid Cloud with AWS -Technical 201Creating your Hybrid Cloud with AWS -Technical 201
Creating your Hybrid Cloud with AWS -Technical 201
 
Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 

Similar to Secrets Management and Delivery to Kubernetes Pods

Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...AWS Chicago
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best PracticesFederico Razzoli
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyAlfredo García Lavilla
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacksAlkin Tezuysal
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed SecretsKnoldus Inc.
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationKnoldus Inc.
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment Systema3sec
 
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - MydbopsNavigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - MydbopsMydbops
 
Simplify Your Code with Helmfile
Simplify Your Code with HelmfileSimplify Your Code with Helmfile
Simplify Your Code with HelmfileCodefresh
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckRundeck
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaNéstor Salceda
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures Stenio Ferreira
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseMongoDB
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementMary Racter
 

Similar to Secrets Management and Delivery to Kubernetes Pods (20)

Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made Easy
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacks
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed Secrets
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets Presentation
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment System
 
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - MydbopsNavigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
 
Simplify Your Code with Helmfile
Simplify Your Code with HelmfileSimplify Your Code with Helmfile
Simplify Your Code with Helmfile
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in Rundeck
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Secrets Management and Delivery to Kubernetes Pods

  • 1. Secrets Management and Delivery to Kubernetes Pods Satish Devarapalli
  • 2. $whoami Satish Devarapalli Cloud Platform Architect @devasat https://www.linkedin.com/in/satish-devarapalli-48a82a5/
  • 3. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 4. Project Intro Product auth 𝞵 svc𝞵 svc ... Application Secrets ● Database Credentials ● AWS Credentials ● API Keys ● License Keys ● Encryption Keys CI/CD Secrets ● AWS Credentials ● Kube Config Files ● Encryption Keys
  • 5. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ● Encryption keys management ○ Different encryption keys for environments ○ Centralized access → do not store keys locally ○ Audit usage ○ Limit key access to individual members based on environment ○ Grant and revoke access easily ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 6. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 7. Secrets Delivery Pipeline AWS KMSdec enc Mozilla SOPS + Dev QA Prod AWS KMS decenc Mozilla SOPS + Jenkins job runs inside a container Helm install Helm install Helm install Helm chart versions: env-config-1.0.0-101-af837dh env-config-1.0.0-102-x7jwy62
  • 8. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 9. AWS KMS - Envelope Encryption Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html
  • 10. Mozilla Secret OPerationS (SOPS) ~ > export SOPS_KMS_ARN="arn:aws:kms:us-east-1:212121:key/3434-c5f1-4040 ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html SOPS Generates 256-bit data key secret-values .dec.yaml SOPS_KMS_ARN secret-values .enc.yaml AWS Boundary
  • 11. Mozilla Secret OPerationS (SOPS) secret-values.dec.yaml secret-values.enc.yaml
  • 12. Mozilla Secret OPerationS (SOPS) secret-values.enc.yaml = data + encryption information Data Encryption Key ID Base64 encoded value of Encrypted Data key Message Authentication Code Prevents File Tampering JSON and YAML keys are not encrypted
  • 13. Mozilla SOPS - Key Providers Microsoft Azure Key Vault SOPS_AZURE_KEYVAULT_URL Google Cloud KMS SOPS_GCP_KMS_IDS AWS KMS SOPS_KMS_ARN PGP SOPS_PGP_FP
  • 14. ● Supported types: JSON, YAML and Binary ● Special support for JSON and YAML files ○ Encrypts only the values ○ File extension is used to determine the type ■ secret-values.yaml.enc → binary file ■ Secret-values.enc.yaml → yaml file ○ Some YAML types (anchors, streams, top-level arrays) are not supported Mozilla SOPS - File Types Input file is treated as blob Key fingerprint Encrypted data key
  • 15. Mozilla SOPS - Multiple Master Keys Shared Services Global Master Key DEV QA PROD DEV QA PROD Business Unit 1 Business Unit 2Multiple Master Key Uses: - Encryption key in master AWS account - Encryption keys in different regions - Encryption keys in different key providers (hybrid cloud) - PGP key (stored offline)
  • 16. Mozilla SOPS - .sops.yaml Filename path passed to sops is matched against this regex dev/secret-values.enc.yaml ✔ dev/secret-values.dec.yaml ✔ dev/aws-credentials.dec ✔ dev/aws-credentials ❌
  • 17. Mozilla SOPS - .sops.yaml At root directory ~> sops -i -e dev/secret-values.enc.yaml ✔ ~> cd dev && sops -i -e secret-values.enc.yaml ❌
  • 18. Option 1: in-place edit ● Data key doesn’t change ● Only the key value that was modified appears in the git diff Mozilla SOPS - Edit Files ~ > export EDITOR=vi ~ > sops -i secret-values.enc.yaml
  • 19. Option 2: decrypt and encrypt ● Data key changes ● All key values appears to have changed in git diff Mozilla SOPS - Edit Files ~ > #Decrypt ~ > sops -d secret-values.enc.yaml > secret-values.dec.yaml ~ > #Encrypt ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml
  • 20. Mozilla SOPS - Diffs in Cleartext in Git ~ > cat ~/.gitattributes *.enc diff=sopsdiffer *.enc.yaml diff=sopsdiffer *.enc.json diff=sopsdiffer .gitattributes ~ > grep -A1 sops ~/.gitconfig [diff "sopsdiffer"] textconv = "sops -d" .gitconfig In my testing, this worked if .sops.yaml is at the root directory of the git project and regex expression is based on the filename but not directory name dev/secret-values.enc.yaml → dev-secret-values.enc.yaml
  • 21. Mozilla SOPS - Demo ● Install SOPS ● Create and export GPG keys ● Set up .sops.yaml, folder per environment and encrypt input file ● In-place edit
  • 22. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 23. Jenkins /jenkins/job1/ws Memory Jenkins job in a container /build /ws tmpfs bind ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes → AWS KMS ○ Secrets should not be left in plain text format on build success or failure → Docker tmpfs ○ Store encrypted kube config files and AWS credentials in Git → AWS KMS Decrypted files are stored only in /build directory Jenkins Access: - ECR - KMS - S3
  • 24. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 25. Limit Secrets Access to Microservices Separate Secret object for each credential + {{ if .Values.secret1Enabled }} - name: {{ .Values.secret.secret1 }} secret: secretName: {{ .Values.secret.secret1 }} {{ end }} +secret1Enabled: true secret2Enabled: false Helm’s values.yaml Helm’s Deployment.yaml
  • 26. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it ✔ Secrets Management Requirements