Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kamus intro

63 views

Published on

Kamus open source intro

Published in: Technology
  • Be the first to comment

Kamus intro

  1. 1. Kamus Introduction Omer Levi Hevroni (@omerlh) Janury 14th
  2. 2. @omerlh Third iteration – Kamus
  3. 3. @omerlh What? • Secrets encryption/decryption solution • Native Kubernetes integration • Seamless consuming • Side-car to generate config files https://github.com/Soluto/kamus
  4. 4. @omerlh Kamus?
  5. 5. @omerlh Architecture https://github.com/octo-technology/kubernetes-icons - Apache 2 Encryptor Decryptor
  6. 6. @omerlh Kubernetes Service Account A service account provides an identity for a Pod. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
  7. 7. @omerlh Permission Model Encrypt Decrypt User Yes (Can be limited) No Pod Yes Only it’s own secrets
  8. 8. @omerlh Consuming Secrets Init Container Application Memory Medium
  9. 9. http://i.imgur.com/qpUHa.jpg Demo Time! https://github.com/Soluto/kamus/tree/master/example
  10. 10. https://memegenerator.net/instance/82530764/geico-pinocchio-we-take-security-seriously
  11. 11. @omerlh Kamus Secure Design • Strong keys storage (Azure KeyVault/GCP KMS) • HSM • IP Filtering • Separated pods for encrypting and decrypting • Secured CLI • Enforce HTTPS • Support for certificate pinning
  12. 12. @omerlh Public Threat Model https://github.com/Soluto/kamus/blob/master/docs/features
  13. 13. @omerlh Security Tests • Static Analysis (Checkmarx) • Dynamic Analysis (Zap) • Packages Scan (Snyk)
  14. 14. @omerlh Security.md https://github.com/Soluto/kamus/blob/master/security.md
  15. 15. @omerlh Accepted Risks • Any pod in the same namespace can mount any service account • Pod impersonation • Can be solved with admission controller or OPA • Clear text traffic inside the cluster • Service account token never expires
  16. 16. @omerlh How do I use it? • Simply using helm: helm install soluto/kamus • Checkout the install guide for secure installation • <blog post!>
  17. 17. @omerlh Project Status • Live in production for the past 6 months • Improved based on internal feedback • Fast adoption by developers • Released as OSS
  18. 18. @omerlh Kamus Future • AWS KMS support • Secret CRD • Rolling encryption keys • Quality – improve coverage • FASS
  19. 19. Thank You! Omer Levi Hevroni (@omerlh)

×