SlideShare a Scribd company logo
1 of 71
Download to read offline
@omerlh
Can Kubernetes Keep a
Secret?
Omer Levi Hevroni
AppSec Cali 2019
@omerlh@omerlh
@omerlh
I’m a builder
@omerlh
@omerlh
DevSecOps @
@omerlh
I OWASP
• Zap contributor
• Proud member
• Glue project leader
@omerlh
@omerlh
Super-Devs: Full Responsibility
● Writing Code
● Deploying to Production
● Monitoring
https://www.imdb.com/title/tt4016454/mediaviewer/rm2380811776
@omerlh
Super-Devs Need Help
● Good tools to support them
● Make it harder to do mistakes
● Secure by design
@omerlh
@omerlh
Manifests
Files
Code
A GitOps Solution
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
How do we manage secrets?
@omerlh
Manifests
Files
Code
Secret
A GitOps Solution
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
Requirements
 GitOps
 Kubernetes native
 Secure
 “One-way encryption”
@omerlh
Pod is out of scope
● Who can “SSH” into it?
● What is running on the pod?
● Does the code leaked the secrets?
@omerlh
Let’s Go!
@omerlh
First iteration – Kubernetes Secrets
@omerlh
https://kubernetes.io/docs/concepts/configuration/secret/
@omerlh
Requirements
 GitOps
 Kubernetes native
 Secure
@omerlh@omerlh
@omerlh
Let’s take a deeper look…
 Producing (dev)
 Consuming (application)
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
Producing - File Manifest?
@omerlh
Well, that complicates things…
http://i.imgur.com/5ebYy62.jpg
@omerlh
@omerlh
Producing – Naive Approach
@omerlh
Producing - Encrypted Secrets?
● Secrets that can be committed
● Transparent for the application
● Multiple solutions
○ Helm Secrets
○ Sealed Secrets
@omerlh
A Sealed Secret
@omerlh@omerlh
@omerlh
Issues
● Key Management
○ Sealed Secret – single key-pair in the cluster
○ Helm Secret – based on Mozilla mops (AWS/GCP KMS support)
● Coupling to a specific cluster/deployment method
● Any change to the secret requires decryption
@omerlh
Let’s take a deeper look…
ⓧ Producing (dev)
 Consuming (application)
@omerlh
Consuming – Environment Variables
@omerlh
The Environment Variable Dispute
https://i0.wp.com/www.rogerogreen.com/wp-content/uploads/2015/06/Disputation.jpg
@omerlh
• Some log libraries collects
env vars
• Accessible via /proc
• Visible when inspecting
docker image
• RCE – run env to leaked all
env vars. Simpler than
finding all sensitive files and
exporting them (even with
LFI)
• Harder to commit accidently
• Simpler than files
• If you can access /proc or
inspect docker images, you can
inspect mounted volumes
• Better permissions model on
windows (thanks @swisshttp!)
• Leaked files (thanks
@sporkmonger!)
The Environment Variable Dispute
Cons Pros
https://tvtropes.org/pmwiki/pmwiki.php/Main/GoodAngelBadAngel
@omerlhhttps://twitter.com/omerlh/status/1079088158929797121
@omerlh
Consuming – Volume Mount
@omerlh
Consuming/Producing: Configuration Files
Configuration File
Base64 Encoder
Secret Manifest
@omerlh
Let’s take a deeper look…
ⓧ Producing (dev)
ⓧ Consuming (application)
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
Requirements
 GitOps – under some serious limitations
 Kubernetes native
 Secure – depend on usage
@omerlh
Second iteration – Hashicorp Vault
@omerlh
What?
● Secure secrets storage
● Native Kubernetes integration
● Seamless consuming
○ Side-car to generate config files
https://www.vaultproject.io/
@omerlh
Workflow
/my-app/super-sensitive
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
@omerlh
@omerlh
Workflow
Access Control
/my-app/super-sensitive
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
Manifests
Files
Code
Secret
Vault - Threat Modeling
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
Imperfect solution
●Separate storage of secrets and deployment files
○ No single source of truth
●External Permission Model
●Deployment
○ Cloud vendor alternatives (Azure KeyVault, AWS secret manager)
○ Vault users authn/authz
@omerlh
Requirements
ⓧ GitOps
 Kubernetes native
 Secure – depend on usage
@omerlh
@omerlh
Travis Encrypted Secrets
https://docs.travis-ci.com/user/encryption-keys/
@omerlh
Eureka!
http://theunprofessionalblog.blogspot.com/2016/04/whatsapp-this-is-killing-me.html
@omerlh
Third iteration – Kamus
Travis secret encryption – for Kubernetes
@omerlh
Kamus?
@omerlh
https://github.com/Soluto/kamus/tree/master/example
@omerlh
A perfect solution?
 GitOps
 Kubernetes native
 Secure
@omerlh
Let’s talk about security
@omerlh
Permission Model
Encrypt Decrypt
User Yes (Can be
limited)
No
Pod Yes Only it’s own
secrets
@omerlh
Kamus – Threat Model
Encryptor Decryptor
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
Mitigations: User
● Secure by default permission model
● Secured CLI
○ Enforce HTTPS
○ Support for certificate pinning
@omerlh
Mitigations: Git
● Strong encryption (using Azure KeyVault/GCP KMS)
○ HSM protection
○ IP Filtering
● One-way encryption
@omerlh
Mitigations: Pod
● Secure by default permission
model
● In-Memory volume for
decrypted files
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
Mitigations: Kamus API
● Separate pods
● Authentication support for encryptor
● Security tests
○ SAST (Checkmarx)
○ DAST (Zaproxy)
○ Packages scan (Snyk)
@omerlh
Accepted Risks
●Clear text traffic inside the cluster
●Any pod in the same namespace can mount any service account
○ Pod impersonation
●Service account token never expires
@omerlh
Public Threat Model
https://github.com/Soluto/kamus/blob/master/docs/features
@omerlh
Security.md
https://github.com/Soluto/kamus/blob/master/security.md
@omerlh
Kamus - A perfect solution
 GitOps
 Kubernetes native
 Secure
@omerlh
How can I use it?
● Simply using helm:
helm install kamus soluto/kamus
● Checkout the install guide for a secure
installation
● Blog post - https://bit.ly/2T2Nhgs
@omerlh
Kamus Roadmap
● AWS support
● Custom Resource Descriptor
● Rolling encryption keys
● Quality – improve test coverage
● FaaS
@omerlh
Wrapping Up
@omerlh
Solutions
GitOps Kubernetes
Native
Secure
Kubernetes
Secrets
It depends Yes It depends
Vault No Yes Yes
Kamus Yes Yes Yes
@omerlhhttp://www.applestory.biz/hermione-hand-raise-gif.html
Questions?
@omerlh
Feedback appreciated
@omerlh
Can Kubernetes Keep a Secret?
@omerlh
@omerlh
Kamus Enable Super-Devs to Fly Higher
https://www.imdb.com/title/tt4016454/mediaviewer/rm2380811776
@omerlh
Thank You!
Omer Levi Hevroni
AppSec Cali 2019

More Related Content

What's hot

Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Hyperledger fabric 20180528
Hyperledger fabric 20180528Hyperledger fabric 20180528
Hyperledger fabric 20180528Arnaud Le Hors
 
Ethereum Tutorial - Ethereum Explained | What is Ethereum? | Ethereum Explain...
Ethereum Tutorial - Ethereum Explained | What is Ethereum? | Ethereum Explain...Ethereum Tutorial - Ethereum Explained | What is Ethereum? | Ethereum Explain...
Ethereum Tutorial - Ethereum Explained | What is Ethereum? | Ethereum Explain...Simplilearn
 
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Svetlin Nakov
 
Interplanetary File System.pptx
Interplanetary File System.pptxInterplanetary File System.pptx
Interplanetary File System.pptxGitam Gadtaula
 
Write smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumWrite smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumMurughan Palaniachari
 
Encryption technology
Encryption technologyEncryption technology
Encryption technologyNeha Bhambu
 
Develop QNAP NAS App by Docker
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by DockerTerry Chen
 
Blockchain - HyperLedger Fabric
Blockchain - HyperLedger FabricBlockchain - HyperLedger Fabric
Blockchain - HyperLedger FabricAraf Karsh Hamid
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideTatsuo Kudo
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Building Apps with Ethereum Smart Contract
Building Apps with Ethereum Smart ContractBuilding Apps with Ethereum Smart Contract
Building Apps with Ethereum Smart ContractVaideeswaran Sethuraman
 
Overview of JSON Object Signing and Encryption
Overview of JSON Object Signing and EncryptionOverview of JSON Object Signing and Encryption
Overview of JSON Object Signing and EncryptionMasaru Kurahayashi
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmVittorio Giovara
 
FIWARE implementation of IDS concepts
FIWARE implementation of IDS conceptsFIWARE implementation of IDS concepts
FIWARE implementation of IDS conceptsfisuda
 

What's hot (20)

Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
Hyperledger fabric 20180528
Hyperledger fabric 20180528Hyperledger fabric 20180528
Hyperledger fabric 20180528
 
Ethereum Tutorial - Ethereum Explained | What is Ethereum? | Ethereum Explain...
Ethereum Tutorial - Ethereum Explained | What is Ethereum? | Ethereum Explain...Ethereum Tutorial - Ethereum Explained | What is Ethereum? | Ethereum Explain...
Ethereum Tutorial - Ethereum Explained | What is Ethereum? | Ethereum Explain...
 
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
 
Interplanetary File System.pptx
Interplanetary File System.pptxInterplanetary File System.pptx
Interplanetary File System.pptx
 
Write smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumWrite smart contract with solidity on Ethereum
Write smart contract with solidity on Ethereum
 
Encryption technology
Encryption technologyEncryption technology
Encryption technology
 
Hyperledger fabric 3
Hyperledger fabric 3Hyperledger fabric 3
Hyperledger fabric 3
 
Develop QNAP NAS App by Docker
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by Docker
 
Blockchain - HyperLedger Fabric
Blockchain - HyperLedger FabricBlockchain - HyperLedger Fabric
Blockchain - HyperLedger Fabric
 
Raft presentation
Raft presentationRaft presentation
Raft presentation
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Building Apps with Ethereum Smart Contract
Building Apps with Ethereum Smart ContractBuilding Apps with Ethereum Smart Contract
Building Apps with Ethereum Smart Contract
 
Overview of JSON Object Signing and Encryption
Overview of JSON Object Signing and EncryptionOverview of JSON Object Signing and Encryption
Overview of JSON Object Signing and Encryption
 
Hyperledger Fabric
Hyperledger FabricHyperledger Fabric
Hyperledger Fabric
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm Ccm
 
FIWARE implementation of IDS concepts
FIWARE implementation of IDS conceptsFIWARE implementation of IDS concepts
FIWARE implementation of IDS concepts
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
 

Similar to Can Kubernetes Keep a Secret?

Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec WebinarCan Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec WebinarSoluto
 
FTRD - Can Kubernetes Keep a Secret?
FTRD -  Can Kubernetes Keep a Secret?FTRD -  Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?Soluto
 
Kamus intro
Kamus introKamus intro
Kamus introSoluto
 
Build and run applications in a dockerless kubernetes world - DevConf India 18
Build and run applications in a dockerless kubernetes world - DevConf India 18Build and run applications in a dockerless kubernetes world - DevConf India 18
Build and run applications in a dockerless kubernetes world - DevConf India 18Jorge Morales
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Docker based-Pipelines with Codefresh
Docker based-Pipelines with CodefreshDocker based-Pipelines with Codefresh
Docker based-Pipelines with CodefreshCodefresh
 
eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...
eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...
eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...Gaetano Giunta
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?Phil Estes
 
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...tdc-globalcode
 
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...NCCOMMS
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 
20140819 Framework
20140819 Framework20140819 Framework
20140819 Frameworktijsverkoyen
 
Kubernetes, Toolbox to fail or succeed for beginners - Demi Ben-Ari, VP R&D @...
Kubernetes, Toolbox to fail or succeed for beginners - Demi Ben-Ari, VP R&D @...Kubernetes, Toolbox to fail or succeed for beginners - Demi Ben-Ari, VP R&D @...
Kubernetes, Toolbox to fail or succeed for beginners - Demi Ben-Ari, VP R&D @...Demi Ben-Ari
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
Setting up CI/CD pipeline with Kubernetes and Kublr step-by-step
Setting up CI/CD pipeline with Kubernetes and Kublr step-by-stepSetting up CI/CD pipeline with Kubernetes and Kublr step-by-step
Setting up CI/CD pipeline with Kubernetes and Kublr step-by-stepOleg Chunikhin
 
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-stepSetting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-stepKublr
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 

Similar to Can Kubernetes Keep a Secret? (20)

Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec WebinarCan Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
 
FTRD - Can Kubernetes Keep a Secret?
FTRD -  Can Kubernetes Keep a Secret?FTRD -  Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?
 
Kamus intro
Kamus introKamus intro
Kamus intro
 
Build and run applications in a dockerless kubernetes world - DevConf India 18
Build and run applications in a dockerless kubernetes world - DevConf India 18Build and run applications in a dockerless kubernetes world - DevConf India 18
Build and run applications in a dockerless kubernetes world - DevConf India 18
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Docker based-Pipelines with Codefresh
Docker based-Pipelines with CodefreshDocker based-Pipelines with Codefresh
Docker based-Pipelines with Codefresh
 
eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...
eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...
eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?
 
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
 
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative world
 
20140819 Framework
20140819 Framework20140819 Framework
20140819 Framework
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Kubernetes, Toolbox to fail or succeed for beginners - Demi Ben-Ari, VP R&D @...
Kubernetes, Toolbox to fail or succeed for beginners - Demi Ben-Ari, VP R&D @...Kubernetes, Toolbox to fail or succeed for beginners - Demi Ben-Ari, VP R&D @...
Kubernetes, Toolbox to fail or succeed for beginners - Demi Ben-Ari, VP R&D @...
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Setting up CI/CD pipeline with Kubernetes and Kublr step-by-step
Setting up CI/CD pipeline with Kubernetes and Kublr step-by-stepSetting up CI/CD pipeline with Kubernetes and Kublr step-by-step
Setting up CI/CD pipeline with Kubernetes and Kublr step-by-step
 
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-stepSetting up CI/CD Pipeline with Kubernetes and Kublr step by-step
Setting up CI/CD Pipeline with Kubernetes and Kublr step by-step
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
 

More from Soluto

Solving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec CaliforniaSolving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec CaliforniaSoluto
 
Solving trust issues at scale
Solving trust issues at scaleSolving trust issues at scale
Solving trust issues at scaleSoluto
 
Things I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi HevroniThings I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi HevroniSoluto
 
The Dark Side of Monitoring
The Dark Side of MonitoringThe Dark Side of Monitoring
The Dark Side of MonitoringSoluto
 
Hacking like a FED
Hacking like a FEDHacking like a FED
Hacking like a FEDSoluto
 
Monitoria@Icinga camp berlin
Monitoria@Icinga camp berlinMonitoria@Icinga camp berlin
Monitoria@Icinga camp berlinSoluto
 
Secure Your Pipeline
Secure Your PipelineSecure Your Pipeline
Secure Your PipelineSoluto
 
React new features and intro to Hooks
React new features and intro to HooksReact new features and intro to Hooks
React new features and intro to HooksSoluto
 
Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018Soluto
 
Monitoria@reversim
Monitoria@reversimMonitoria@reversim
Monitoria@reversimSoluto
 
Languages don't matter anymore!
Languages don't matter anymore!Languages don't matter anymore!
Languages don't matter anymore!Soluto
 
Security Testing for Containerized Applications
Security Testing for Containerized ApplicationsSecurity Testing for Containerized Applications
Security Testing for Containerized ApplicationsSoluto
 
Owasp glue
Owasp glueOwasp glue
Owasp glueSoluto
 
Unify logz with fluentd
Unify logz with fluentdUnify logz with fluentd
Unify logz with fluentdSoluto
 
Storing data in Redis like a pro
Storing data in Redis like a proStoring data in Redis like a pro
Storing data in Redis like a proSoluto
 
Monitor all the thingz slideshare
Monitor all the thingz slideshareMonitor all the thingz slideshare
Monitor all the thingz slideshareSoluto
 
Authentication without Authentication - AppSec California
Authentication without Authentication - AppSec CaliforniaAuthentication without Authentication - AppSec California
Authentication without Authentication - AppSec CaliforniaSoluto
 
Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupAuthentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupSoluto
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
Authentication Without Authentication
Authentication Without AuthenticationAuthentication Without Authentication
Authentication Without AuthenticationSoluto
 

More from Soluto (20)

Solving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec CaliforniaSolving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec California
 
Solving trust issues at scale
Solving trust issues at scaleSolving trust issues at scale
Solving trust issues at scale
 
Things I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi HevroniThings I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi Hevroni
 
The Dark Side of Monitoring
The Dark Side of MonitoringThe Dark Side of Monitoring
The Dark Side of Monitoring
 
Hacking like a FED
Hacking like a FEDHacking like a FED
Hacking like a FED
 
Monitoria@Icinga camp berlin
Monitoria@Icinga camp berlinMonitoria@Icinga camp berlin
Monitoria@Icinga camp berlin
 
Secure Your Pipeline
Secure Your PipelineSecure Your Pipeline
Secure Your Pipeline
 
React new features and intro to Hooks
React new features and intro to HooksReact new features and intro to Hooks
React new features and intro to Hooks
 
Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018
 
Monitoria@reversim
Monitoria@reversimMonitoria@reversim
Monitoria@reversim
 
Languages don't matter anymore!
Languages don't matter anymore!Languages don't matter anymore!
Languages don't matter anymore!
 
Security Testing for Containerized Applications
Security Testing for Containerized ApplicationsSecurity Testing for Containerized Applications
Security Testing for Containerized Applications
 
Owasp glue
Owasp glueOwasp glue
Owasp glue
 
Unify logz with fluentd
Unify logz with fluentdUnify logz with fluentd
Unify logz with fluentd
 
Storing data in Redis like a pro
Storing data in Redis like a proStoring data in Redis like a pro
Storing data in Redis like a pro
 
Monitor all the thingz slideshare
Monitor all the thingz slideshareMonitor all the thingz slideshare
Monitor all the thingz slideshare
 
Authentication without Authentication - AppSec California
Authentication without Authentication - AppSec CaliforniaAuthentication without Authentication - AppSec California
Authentication without Authentication - AppSec California
 
Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupAuthentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetup
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
Authentication Without Authentication
Authentication Without AuthenticationAuthentication Without Authentication
Authentication Without Authentication
 

Recently uploaded

How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 

Recently uploaded (20)

How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 

Can Kubernetes Keep a Secret?

Editor's Notes

  1. Hey, good morning everyone My name is Omer I want to start this talk by showing gratitude First, to all the people who worked hard on organizing this conf and all the people who are working today so we all could enjoy it - thank you Second, I want to thank the organizers who choose me to speak here, so thank you. It is a big honor <pause> Can kubernetes keep a secret? <pause> Why? Raise you’re hand if you ever worked on a project and you had to deal with credentials: API Key, client secret, certificates etc
  2. What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it? But first – let me introduce myself quickly, so you could understand what are my credentials and where I’m coming from.
  3. I’m a builder, this is what I love doing and doing it from a really early age Doing it professionally for the last 8 years I’m from Israel, married etc Who else is a builder? This talk is for you!
  4. Today I’m working at Soluto, our missing is to help people with their technology My job is DevSecOps, or as I see it - helping the entire team to build a more secure software I’m achieving it via many approaches, including education, reviewing and threat modeling – but what I love the most is threat modeling
  5. Big part of my work is OWASP, I’m enthusiast and familiar to many project. I contributed code to projects, mainly Zap and Glue and I’m a paid memember and project leader of Glue. Glue is a tool that helps to integrate security tools into the CI/CD pipeline – I will not have time to dive into the tool, but come talk with me later about it – I have stickers 
  6. What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it?
  7. Explain why it is a challenge – you cant expect one person to manage all secrets Why not solved it manually
  8. Explain why it is a challenge – you cant expect one person to manage all secrets Why not solved it manually
  9. And that’s why we love GitOps: Git is a tool that all devs are familiar with.
  10. And we started to look for solutions. It want not an easy path, and today I want to share with you the process we want through. So, let’s start we talking on what we want.
  11. Choose one sentence
  12. Security is what we all here love
  13. Security features like encryption at rest
  14. Encoding is not encrypting Adding native approach
  15. Add meme
  16. Add slide with links
  17. Laugh at my bad english
  18. Example of 3 items/JSON representatiom
  19. Security is what we all here love
  20. Add the user here
  21. Add the user here
  22. Valut policies, policy assignment etc
  23. Security is what we all here love
  24. Make it more visual
  25. Security is what we all here love
  26. Battle tested
  27. Add attributation
  28. Add headlines – encryptor & decryptor
  29. We really love Kamus, we’re been using it in production for the past 6 months
  30. End of journey meme/image
  31. Today I discussed 3 different solutions for secret management on Kubenretes. All are good solutions, depend on your requirments.
  32. I started the talk by asking “Can Kubernetes keep a secret?” Now you that yes – Kubernetes can. You just need to use the right tool for you’re use case.
  33. For us, it was Kamus What Kamus can do for you?