Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kubecon 2019_eu-k8s-secrets-csi

1,446 views

Published on

Secrets store CSI Driver - Bring your own enterprise secrets store to Kubernetes

Published in: Technology
  • Login to see the comments

Kubecon 2019_eu-k8s-secrets-csi

  1. 1. Secrets Store CSI Driver Bring Your Own Enterprise Secrets Store to Kubernetes Rita Zhang (@ritazzhang, Microsoft) Anubhav Mishra (@anubhavm, HashiCorp)
  2. 2. Rita Zhang • Software engineer, Microsoft, San Francisco • Container upstream team, Azure Kubernetes Service • Maintainer for secrets-store- csi-driver, keyvault-flexvolume, Open Policy Agent Gatekeeper @ritazzhang
  3. 3. Anubhav Mishra • Team Lead, Developer Advocacy, HashiCorp, Vancouver. • Provider Maintainer, Virtual Kubelet, Helm • Provider Maintainer, secrets- stores-csi-driver @anubhavm
  4. 4. Kubernetes Database ž Uses etcd as its persistent storage for API objects ž Stores secrets as base64 encoded plaintext https://kubernetes.io/docs/concepts/overview/components/#etcd
  5. 5. An attacker who can successfully access your cluster database can compromise your entire cluster and have access to your application secrets and cloud resources.
  6. 6. Secret Kubernetes Master etcd Node API Server Kubelet kubectl create secret generic secret1 Secrets
  7. 7. Kubernetes Master etcd Node API Server Kubelet kubectl create -f pod-using-secret.yaml Pod using Secret Pod Pod Pod secret Mount path: /etc/foo
  8. 8. What if instead of storing my secrets in etcd, I want to store and manage access outside of Kubernetes?
  9. 9. kubectl create -f pod-using-secrets-store.yaml Pod using Secrets Store CSI driver Kubernetes Master Node API Server Kubelet Pod Pod Secrets Store CSI Driver Volume Mount path: /etc/foo Secrets Store Service Pod https://github.com/deislabs/secrets-store-csi-driver
  10. 10. secrets-store.csi.k8s.com Driver Parameters EDITOR
  11. 11. Prerequisites for Secrets Store CSI Driver • Minimum system requirements • Kubernetes v1.13.0+ • CSI interface 1.0.0-rc2 • Inline ephemeral volume • Kubernetes v1.15.0-alpha.2+ • Feature-gates • CSIInlineVolume=true
  12. 12. Demo: Secrets Store CSI driver https://github.com/deislabs/secrets-store-csi-driver
  13. 13. With the Kubernetes Secrets Store CSI driver, we can store and retrieve secrets from a Secrets store and mount the data as a volume to containers.
  14. 14. Provider interface • Backend plumbing to access objects from the external secrets store • Conforms to the current API • Callback mechanism to mount objects to a target path
  15. 15. EDITOR
  16. 16. https://github.com/deislabs/secrets-store-csi-driver Demo: Secret Store CSI Driver HashiCorp Vault Provider
  17. 17. What if I want to restrict specific pods access to my secrets store?
  18. 18. https://github.com/deislabs/secrets-store-csi-driver Demo: Secret Store CSI Driver Azure Key Vault Provider + Pod Identity
  19. 19. With Azure Active Directory Pod Identity, we can restrict and enable specific pods access to Azure Key Vault instance based on the pod’s identity.
  20. 20. Project Status • Provider Status • Azure Key Vault - alpha • HashiCorp Vault - alpha • Come help! • Issues • Feedback • User stories • Development
  21. 21. More features! • More providers • Pod identity for more providers • Option to sync to k8s secrets?
  22. 22. Resources • Secrets-Store-CSI driver: https://github.com/deislabs/secrets-store-csi-driver • Azure key vault provider: https://github.com/deislabs/secrets-store-csi- driver/tree/master/pkg/providers/azure • HashiCorp Vault Provider: https://github.com/deislabs/secrets-store-csi- driver/tree/master/pkg/providers/vault • AAD Pod Identity: https://github.com/Azure/aad-pod-identity • Kubernetes Key Vault FlexVolume: https://github.com/Azure/kubernetes-keyvault- flexvol
  23. 23. Thanks! Questions? @anubhavm @ritazzhang

×