Secrets in Kubernetes

Jerry Jalava
Jerry JalavaCloud Consultant, Google Developer Expert, Authorized Google Cloud Trainer (Nordics) at Jerryn Paja
Senior System Architect, Google Developer Expert, Authorised Trainer SECRETS IN KUBERNETES JERRY JALAVA JERRY@QVIK.FI | @W_I
WHAT SECRETS DO APPLICATIONS HAVE? QUESTION @QVIK
COMMON SECRETS ‣ Database credentials ‣ API credentials & endpoints (Twitter, FB, etc.) ‣ Infrastructure API credentials (Google, AWS, Azure) ‣ Private (TLS) Keys (careful here) ‣ Etc. @QVIKPhotos: CC0 License, https://www.pexels.com
I’LL JUST INCLUDE THEM WITH MY CODE… WELL, EASY ENOUGH… @QVIK
DON’T! @QVIK
JUST AS AN EXAMPLE Dev put AWS keys on Github. Bots are crawling all over GitHub seeking secret keys… "When I woke up the next morning, I had emails and a missed phone call from Amazon AWS - ~140 servers running on my AWS account" - a developer served with a $2,375 Bitcoin mining bill http://www.theregister.co.uk/ @QVIKPhotos: CC0 License, https://www.pexels.com
I’LL JUST INCLUDE THEM IN MY CONTAINER… WELL, EASY ENOUGH… @QVIK
AGAIN, DON’T! @QVIK
DOCKER is about transportable and executable code. Containers can be inspected, exported and published publicly. Putting sensitive material inside Docker Container is NOT a good idea. @QVIK
THE TWELVE-FACTOR APP ‣ http://12factor.net/ ‣ Methodology for building software-as-a-service apps, collection of best practises ‣ Suggests following: ‣ Store config in the environment ‣ config is everything that is likely to vary between deploys @QVIK
KUBERNETES (K8s) ‣ Ancient Greek for “pilot” or “helmsman”; root of the English word “governor” ‣ Orchestrator for containers ‣ Supports multi-cloud environments ‣ Started by Google ‣ Open source ‣ Manage applications, not machines @QVIK
MAIN COMPONENTS PODS Ephemeral units used to manage 1-n tightly coupled containers LABELS Metadata attached to objects such as Pods. Enable organization and selection of objects REPLICATION CONTROLLERS Manages requested number of Pod “replicas” from defined template 1 2 3 SERVICES Low overhead load- balancing of requests to set of Pods based on Labels 4 @QVIK
KUBERNETES SECRETS INTRODUCING @QVIK http://kubernetes.io/docs/user-guide/secrets/
WHAT ARE THEY? ‣ K8s Secret-objects are first-class citizens in the ecosystem ‣ Designed to hold all kinds of sensitive information in safe and flexible way. ‣ They can be used by Pods (FS & Env) and the underlying kubelet when pulling images @QVIK
PROS ‣ Secrets can be mounted as data volumes or be exposed as environment variables to be used by a container in a pod ‣ A secret is only sent to a node if a pod on that node requires it ‣ Secret data on nodes is stored in tmpfs volumes and thus does not come to rest on the node ‣ Communication between user to the api-server, and from api-server to the kubelets, is protected by SSL/TLS @QVIK
CONS ‣ In the API server secret data is stored as plaintext in etcd, therefore: ‣ Administrators should limit access to etcd to admin users ‣ Secret data in the API server is at rest on the disk that etcd uses (wipe/shred disks when not used) ‣ It is not possible currently to control which users of a K8s cluster can access a secret (Support planned) ‣ It is still possible to accidentally push the Secrets definition to version control @QVIK
GOTCHAS ‣ A Secret needs to be created before any pods that depend on it ‣ Individual secrets are limited to 1MB in size ‣ They can only be referenced by pods in same namespace ‣ Once a pod is started, its secret volumes will not change, even if the secret resource is modified ‣ It is not possible currently to check what resource version of a secret object was used when a pod was created (planned feature) ‣ The key must be formatted as DNS subdomain (leading dots allowed), with max length of 253 characters @QVIK
EXAMPLES ‣ echo "admin" > ./username.txt && echo "1f2d1e2e67df" > ./ password.txt ‣ kubectl create secret generic db-user-pass --from-file=./ username.txt --from-file=./password.txt ‣ echo "admin" | base64 ‣ kubectl create -f ./mysecret.yaml @QVIK
DEMO TIME @QVIK https://github.com/jerryjj/devsec_050416/blob/master/demo/secrets.md
KUBERNETES CONFIGMAP INTRODUCING @QVIK http://kubernetes.io/docs/user-guide/configmap/
WHAT ARE THEY? ‣ key-value pairs of configuration data ‣ Similar to Secrets, but designed to more conveniently support working with strings that do not contain sensitive information ‣ Can be used to store fine-grained information like individual properties or coarse-grained information like entire config files or JSON blobs @QVIK
DEMO TIME @QVIK https://github.com/jerryjj/devsec_050416/blob/master/demo/configmaps.md
RESOURCES ‣ https://github.com/jerryjj/devsec_050416 ‣ http://kubernetes.io/docs/ ‣ http://12factor.net/ @QVIK
THANK YOU www.qvik.fi
Secrets in Kubernetes
1 of 25

Secrets in Kubernetes

Download to read offline
Technology

This is a presentation I held at "DevOps and Security" -meetup on 5th of April 2016 at RedHat. Source is available at: https://github.com/jerryjj/devsec_050416

Jerry Jalava
Jerry JalavaCloud Consultant, Google Developer Expert, Authorized Google Cloud Trainer (Nordics) at Jerryn Paja

Recommended

Kubernetes Webinar - Using ConfigMaps & Secrets by
Kubernetes Webinar - Using ConfigMaps & Secrets Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Janakiram MSV
1.4K views14 slides
Introduction to kubernetes by
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
233 views182 slides
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta... by
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
192 views48 slides
Hands-On Introduction to Kubernetes at LISA17 by
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
1.1K views82 slides
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu... by
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
2.1K views39 slides
Kubernetes - introduction by
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
467 views27 slides

More Related Content

What's hot

Kubernetes 101 by
Kubernetes 101Kubernetes 101
Kubernetes 101Crevise Technologies
1.6K views38 slides
Kubernetes by
KubernetesKubernetes
Kuberneteserialc_w
3K views19 slides
Kubernetes Architecture and Introduction by
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
6K views45 slides
Kubernetes architecture by
Kubernetes architectureKubernetes architecture
Kubernetes architectureJanakiram MSV
13.6K views19 slides
01. Kubernetes-PPT.pptx by
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptxTamalBanerjee16
52 views139 slides
Kubernetes Introduction by
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionMartin Danielsson
10.6K views22 slides

What's hot(20)

Kubernetes 101 by Crevise Technologies
Kubernetes 101Kubernetes 101
Kubernetes 101
Crevise Technologies1.6K views
Kubernetes by erialc_w
KubernetesKubernetes
Kubernetes
erialc_w3K views
Kubernetes Architecture and Introduction by Stefan Schimanski
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
Stefan Schimanski6K views
Kubernetes architecture by Janakiram MSV
Kubernetes architectureKubernetes architecture
Kubernetes architecture
Janakiram MSV13.6K views
01. Kubernetes-PPT.pptx by TamalBanerjee16
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
TamalBanerjee1652 views
Kubernetes Introduction by Martin Danielsson
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson10.6K views
Introduction to Kubernetes Workshop by Bob Killen
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen4.7K views
Service Discovery In Kubernetes by Knoldus Inc.
Service Discovery In KubernetesService Discovery In Kubernetes
Service Discovery In Kubernetes
Knoldus Inc.940 views
Azure container instances by Karthikeyan VK
Azure container instancesAzure container instances
Azure container instances
Karthikeyan VK677 views
DevOps with Kubernetes by EastBanc Tachnologies
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies6.9K views
Introduction to helm by Jeeva Chelladhurai
Introduction to helmIntroduction to helm
Introduction to helm
Jeeva Chelladhurai3.7K views
Kubernetes a comprehensive overview by Gabriel Carro
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
Gabriel Carro181 views
Kubernetes - A Comprehensive Overview by Bob Killen
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen26.5K views
Kubernetes 101 for Beginners by Oktay Esgul
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
Oktay Esgul1.1K views
Kubernetes Networking 101 by Weaveworks
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
Weaveworks6.6K views
[KubeCon EU 2020] containerd Deep Dive by Akihiro Suda
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
Akihiro Suda616 views
Docker introduction by Phuc Nguyen
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen1.3K views
Kubernetes by Henry He
KubernetesKubernetes
Kubernetes
Henry He165 views
Kubernetes dealing with storage and persistence by Janakiram MSV
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistence
Janakiram MSV3K views
Kubernetes Workshop by loodse
Kubernetes WorkshopKubernetes Workshop
Kubernetes Workshop
loodse856 views

Viewers also liked

Real-time image sharing by
Real-time image sharingReal-time image sharing
Real-time image sharingJerry Jalava
2.3K views20 slides
Arctic15 keynote by
Arctic15 keynoteArctic15 keynote
Arctic15 keynoteJerry Jalava
340 views44 slides
Building Resilient Cloud Native Apps in GKE by
Building Resilient Cloud Native Apps in GKEBuilding Resilient Cloud Native Apps in GKE
Building Resilient Cloud Native Apps in GKEJerry Jalava
517 views43 slides
Going Serverless with Kubeless In Google Container Engine (GKE) by
Going Serverless with Kubeless In Google Container Engine (GKE)Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)Bitnami
1.1K views34 slides
Continous Delivery to Kubernetes using Helm by
Continous Delivery to Kubernetes using HelmContinous Delivery to Kubernetes using Helm
Continous Delivery to Kubernetes using HelmBitnami
2K views27 slides
Serverless with Google Cloud Functions by
Serverless with Google Cloud FunctionsServerless with Google Cloud Functions
Serverless with Google Cloud FunctionsJerry Jalava
1.4K views17 slides

Viewers also liked(6)

Real-time image sharing by Jerry Jalava
Real-time image sharingReal-time image sharing
Real-time image sharing
Jerry Jalava2.3K views
Arctic15 keynote by Jerry Jalava
Arctic15 keynoteArctic15 keynote
Arctic15 keynote
Jerry Jalava340 views
Building Resilient Cloud Native Apps in GKE by Jerry Jalava
Building Resilient Cloud Native Apps in GKEBuilding Resilient Cloud Native Apps in GKE
Building Resilient Cloud Native Apps in GKE
Jerry Jalava517 views
Going Serverless with Kubeless In Google Container Engine (GKE) by Bitnami
Going Serverless with Kubeless In Google Container Engine (GKE)Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)
Bitnami1.1K views
Continous Delivery to Kubernetes using Helm by Bitnami
Continous Delivery to Kubernetes using HelmContinous Delivery to Kubernetes using Helm
Continous Delivery to Kubernetes using Helm
Bitnami2K views
Serverless with Google Cloud Functions by Jerry Jalava
Serverless with Google Cloud FunctionsServerless with Google Cloud Functions
Serverless with Google Cloud Functions
Jerry Jalava1.4K views

Similar to Secrets in Kubernetes

Kubernetes security with AWS by
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWSKasun Madura Rathnayaka
41 views23 slides
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019 by
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
525 views46 slides
Attacking and Defending Kubernetes - Nithin Jois by
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
124 views75 slides
Bitbucket Pipelines - Powered by Kubernetes by
Bitbucket Pipelines - Powered by KubernetesBitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by KubernetesNathan Burrell
1.1K views46 slides
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ... by
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
803 views79 slides
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ... by
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...tdc-globalcode
489 views94 slides

Similar to Secrets in Kubernetes(20)

Kubernetes security with AWS by Kasun Madura Rathnayaka
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
Kasun Madura Rathnayaka41 views
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019 by Lacework
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework525 views
Attacking and Defending Kubernetes - Nithin Jois by OWASP Hacker Thursday
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday124 views
Bitbucket Pipelines - Powered by Kubernetes by Nathan Burrell
Bitbucket Pipelines - Powered by KubernetesBitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by Kubernetes
Nathan Burrell1.1K views
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ... by Michael Man
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man803 views
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ... by tdc-globalcode
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...
tdc-globalcode489 views
Road to Opscon (Pisa '15) - DevOoops by Gianluca Varisco
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco1.8K views
Best Practices with Azure Kubernetes Services by QAware GmbH
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
QAware GmbH11.5K views
Introduction to Kubernetes by Vishal Biyani
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
Vishal Biyani601 views
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault by Tom Kerkhove
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove1.6K views
Overview of secret management solutions and architecture by Yuechuan (Mike) Chen
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen2.3K views
Digital Forensics and Incident Response in The Cloud Part 3 by Velocidex Enterprises
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises813 views
Containerizing your Security Operations Center by Jimmy Mesta
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta985 views
Netflix oss season 1 episode 3 by Ruslan Meshenberg
Netflix oss season 1 episode 3 Netflix oss season 1 episode 3
Netflix oss season 1 episode 3
Ruslan Meshenberg154.2K views
Kubernetes 101 for_penetration_testers_-_null_mumbai by n|u - The Open Security Community
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community106 views
Managing your secrets in a cloud environment by Taswar Bhatti
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti2.1K views
Crypto Options in AWS by Amazon Web Services
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWS
Amazon Web Services8.9K views
DCSF19 Container Security: Theory & Practice at Netflix by Docker, Inc.
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.3.6K views
Intelligent Cloud Conference 2018 - Building secure cloud applications with A... by Tom Kerkhove
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Tom Kerkhove293 views
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security by DevOpsDays Riga
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga554 views

Recently uploaded

MVP and prioritization.pdf by
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdfrahuldharwal141
39 views8 slides
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...ShapeBlue
178 views15 slides
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
162 views59 slides
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...ShapeBlue
199 views20 slides
Cencora Executive Symposium by
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposiummarketingcommunicati21
160 views14 slides
Qualifying SaaS, IaaS.pptx by
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptxSachin Bhandari
1.1K views8 slides

Recently uploaded(20)

MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14139 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue178 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash162 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue199 views
Cencora Executive Symposium by marketingcommunicati21
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposium
marketingcommunicati21160 views
Qualifying SaaS, IaaS.pptx by Sachin Bhandari
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptx
Sachin Bhandari1.1K views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)36 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer91 views
The Power of Generative AI in Accelerating No Code Adoption.pdf by Saeed Al Dhaheri
The Power of Generative AI in Accelerating No Code Adoption.pdfThe Power of Generative AI in Accelerating No Code Adoption.pdf
The Power of Generative AI in Accelerating No Code Adoption.pdf
Saeed Al Dhaheri39 views
LLMs in Production: Tooling, Process, and Team Structure by Aggregage
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team Structure
Aggregage57 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays58 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue164 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu437 views
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue152 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue208 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue183 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue207 views
The Role of Patterns in the Era of Large Language Models by Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li91 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp98 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue224 views

Secrets in Kubernetes

  • 1. Senior System Architect, Google Developer Expert, Authorised Trainer SECRETS IN KUBERNETES JERRY JALAVA JERRY@QVIK.FI | @W_I
  • 2. WHAT SECRETS DO APPLICATIONS HAVE? QUESTION @QVIK
  • 3. COMMON SECRETS ‣ Database credentials ‣ API credentials & endpoints (Twitter, FB, etc.) ‣ Infrastructure API credentials (Google, AWS, Azure) ‣ Private (TLS) Keys (careful here) ‣ Etc. @QVIKPhotos: CC0 License, https://www.pexels.com
  • 4. I’LL JUST INCLUDE THEM WITH MY CODE… WELL, EASY ENOUGH… @QVIK
  • 6. JUST AS AN EXAMPLE Dev put AWS keys on Github. Bots are crawling all over GitHub seeking secret keys… "When I woke up the next morning, I had emails and a missed phone call from Amazon AWS - ~140 servers running on my AWS account" - a developer served with a $2,375 Bitcoin mining bill http://www.theregister.co.uk/ @QVIKPhotos: CC0 License, https://www.pexels.com
  • 7. I’LL JUST INCLUDE THEM IN MY CONTAINER… WELL, EASY ENOUGH… @QVIK
  • 9. DOCKER is about transportable and executable code. Containers can be inspected, exported and published publicly. Putting sensitive material inside Docker Container is NOT a good idea. @QVIK
  • 10. THE TWELVE-FACTOR APP ‣ http://12factor.net/ ‣ Methodology for building software-as-a-service apps, collection of best practises ‣ Suggests following: ‣ Store config in the environment ‣ config is everything that is likely to vary between deploys @QVIK
  • 11. KUBERNETES (K8s) ‣ Ancient Greek for “pilot” or “helmsman”; root of the English word “governor” ‣ Orchestrator for containers ‣ Supports multi-cloud environments ‣ Started by Google ‣ Open source ‣ Manage applications, not machines @QVIK
  • 12. MAIN COMPONENTS PODS Ephemeral units used to manage 1-n tightly coupled containers LABELS Metadata attached to objects such as Pods. Enable organization and selection of objects REPLICATION CONTROLLERS Manages requested number of Pod “replicas” from defined template 1 2 3 SERVICES Low overhead load- balancing of requests to set of Pods based on Labels 4 @QVIK
  • 14. WHAT ARE THEY? ‣ K8s Secret-objects are first-class citizens in the ecosystem ‣ Designed to hold all kinds of sensitive information in safe and flexible way. ‣ They can be used by Pods (FS & Env) and the underlying kubelet when pulling images @QVIK
  • 15. PROS ‣ Secrets can be mounted as data volumes or be exposed as environment variables to be used by a container in a pod ‣ A secret is only sent to a node if a pod on that node requires it ‣ Secret data on nodes is stored in tmpfs volumes and thus does not come to rest on the node ‣ Communication between user to the api-server, and from api-server to the kubelets, is protected by SSL/TLS @QVIK
  • 16. CONS ‣ In the API server secret data is stored as plaintext in etcd, therefore: ‣ Administrators should limit access to etcd to admin users ‣ Secret data in the API server is at rest on the disk that etcd uses (wipe/shred disks when not used) ‣ It is not possible currently to control which users of a K8s cluster can access a secret (Support planned) ‣ It is still possible to accidentally push the Secrets definition to version control @QVIK
  • 17. GOTCHAS ‣ A Secret needs to be created before any pods that depend on it ‣ Individual secrets are limited to 1MB in size ‣ They can only be referenced by pods in same namespace ‣ Once a pod is started, its secret volumes will not change, even if the secret resource is modified ‣ It is not possible currently to check what resource version of a secret object was used when a pod was created (planned feature) ‣ The key must be formatted as DNS subdomain (leading dots allowed), with max length of 253 characters @QVIK
  • 18. EXAMPLES ‣ echo "admin" > ./username.txt && echo "1f2d1e2e67df" > ./ password.txt ‣ kubectl create secret generic db-user-pass --from-file=./ username.txt --from-file=./password.txt ‣ echo "admin" | base64 ‣ kubectl create -f ./mysecret.yaml @QVIK
  • 21. WHAT ARE THEY? ‣ key-value pairs of configuration data ‣ Similar to Secrets, but designed to more conveniently support working with strings that do not contain sensitive information ‣ Can be used to store fine-grained information like individual properties or coarse-grained information like entire config files or JSON blobs @QVIK