Can Kubernetes Keep a Secret? - Women in AppSec Webinar

•Download as PPTX, PDF•

1 like•152 views

We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real.

@omerlh
Can Kubernetes Keep a
Secret?
Omer Levi Hevroni
October 2019

@omerlh@omerlh

@omerlh
I’m a builder
@omerlh

@omerlh
DevSecOps @

@omerlh
I OWASP
• Zap contributor
• Proud member
• Glue project leader

@omerlh

@omerlh
@omerlh
Kubernetes: Container
Orchestration Platform

@omerlh
Containers

@omerlh
Kubernetes 101
Kubernetes Icons Source: Kubernetes Community, Apache 2 license
Cluster
Name space

@omerlh

@omerlh
Super-Devs: Full Responsibility
● Writing Code
● Deploying to Production
● Monitoring
https://www.imdb.com/title/tt4016454/mediaviewer/rm2380811776

@omerlh
Super-Devs Need Help
● Good tools to support them
● Make it harder to do mistakes
● Secure by design

@omerlh

@omerlh
Kubernetes Manifest Files

@omerlh
Manifests
Files
Code
A GitOps Solution
Kubernetes Icons Source: Kubernetes Community, Apache 2 license

@omerlh
How do we manage secrets?

@omerlh
Manifests
Files
Code
Secret
A GitOps Solution
Kubernetes Icons Source: Kubernetes Community, Apache 2 license

@omerlh
Requirements
 GitOps
 Kubernetes native
 Secure
 “One-way encryption”

@omerlh
Pod is out of scope
● Who can “SSH” into it?
● What is running on the pod?
● Does the code leaked the secrets?

@omerlh
Let’s Go!

@omerlh
First iteration – Kubernetes Secrets

@omerlh
https://kubernetes.io/docs/concepts/configuration/secret/

@omerlh
Secrets Manifest File

@omerlh
Requirements
 GitOps
 Kubernetes native
 Secure

@omerlh@omerlh

@omerlh
Secrets Manifest File

@omerlh
Well, that complicates things…
http://i.imgur.com/5ebYy62.jpg
@omerlh

@omerlh
Requirements
 GitOps – under some serious limitations
 Kubernetes native
 Secure – depend on usage

@omerlh

@omerlh
Travis Encrypted Secrets
https://docs.travis-ci.com/user/encryption-keys/

@omerlh
Eureka!
http://theunprofessionalblog.blogspot.com/2016/04/whatsapp-this-is-killing-me.html

@omerlh
Second iteration – Kamus
Travis secret encryption – for Kubernetes

@omerlh
What?
● An open source project by Soluto
● Allows to encrypt a secret for a specific application

@omerlh
Application Identity?

@omerlh
Service Account Token (JWT)

@omerlh
Encrypting for a specific application

@omerlh
Encrypting for a specific application

@omerlh
Manifests
Files
Code
Encrypted
Secret
A GitOps Solution
Kubernetes Icons Source: Kubernetes Community, Apache 2 license

@omerlh
Secret Decryption
Kubernetes Icons Source: Kubernetes Community, Apache 2 license

@omerlh
Kamus?

@omerlh
Let’s talk about security

@omerlh
Permission Model
Encrypt Decrypt
User Yes (Can be
limited)
No
Pod Yes Only it’s own
secrets

@omerlh
Security Features
● Secured CLI
○ Enforce HTTPS
○ Support for certificate pinning
● Strong encryption (using Azure KeyVault, AWS/GCP KMS)
○ HSM protection
● One-way encryption
● Security tests

@omerlh
Public Threat Model
https://kamus.soluto.io/docs/threatmodeling/threats_controls/

@omerlh
Security.md
https://github.com/Soluto/kamus/blob/master/security.md

@omerlh
Kamus - A perfect solution
 GitOps
 Kubernetes native
 Secure

@omerlh
How can I use it?
● Simply using helm:
helm install kamus soluto/kamus
● Checkout the install guide for a secure
installation
● Blog post - https://bit.ly/2T2Nhgs

@omerlh
Wrapping Up

@omerlh
Solutions
GitOps Kubernetes
Native
Secure
Kubernetes
Secrets
It depends Yes It depends
Kamus Yes Yes Yes

@omerlh
Can Kubernetes Keep a Secret?
@omerlh

@omerlh
Kamus Enable Super-Devs to Fly Higher
https://www.imdb.com/title/tt4016454/mediaviewer/rm2380811776

@omerlh
Thank You!
Omer Levi Hevroni
October 2019

More Related Content

What's hot

Implementing Lightweight Kubernetes(K3s) on Raspberry Pi Stack - Sangam Biradar

Implementing Lightweight Kubernetes(K3s) on Raspberry Pi Stack - Sangam Biradar

Implementing Lightweight Kubernetes(K3s) on Raspberry Pi Stack - Sangam Biradar

With Kubernetes, implementing security policies can be challenging. First, developers, administrators, and security teams need to understand security policies in collaboration to have the best chance of successful adoption. Next, policy enforcement needs to integrate with developer workflows. Lastly, policies need to contain corrective action that is as close to the developer as possible. KubeLinter solves these problems by linting Kubernetes YAML files and Helm charts at the source: the developer. In this session, we will evaluate KubeLinter by moving through a hands-on demo of the application, showing a use case for local machines and CI pipeline integration, and chatting about how best to integrate it into your organization: KubeLinter, and its default checks How you can leverage the application in your day-to-day operations The open source StackRox community

Kubernetes configuration and security policies with KubeLinter | DevNation Te...

Kubernetes configuration and security policies with KubeLinter | DevNation Te...

Kubernetes configuration and security policies with KubeLinter | DevNation Te...

Red Hat Developers

SMART Cloud - K8s in produzione - best practices

SMART Cloud - K8s in produzione - best practices

SMART Cloud - K8s in produzione - best practices

Building Rich Applications with Appcelerator

Building Rich Applications with Appcelerator

Building Rich Applications with Appcelerator

There are a lot of Continuous Integration services but Jenkins is still one of the most used in most programming languages. In this talk I will share the CurrencyFair experience, how our IT Team made of 40 engineers manage CurrencyFair delivery with GitHub, Jenkins, Hubot and Slack on different environments. Artifact to guarantee the stability of your codebase, pipeline and some Jenkins’s plugins in order to create the most comfortable delivery flow for your projects.

Jenkins in the real world - DevOpsCon 2017

Jenkins in the real world - DevOpsCon 2017

Jenkins in the real world - DevOpsCon 2017

Gianluca Arbezzano

Introduction to Eclipse Che / EclipseCon 2014

Introduction to Eclipse Che / EclipseCon 2014

Introduction to Eclipse Che / EclipseCon 2014

Orchestrating Microservices with Kubernetes

Orchestrating Microservices with Kubernetes

Orchestrating Microservices with Kubernetes

Enterprise Kubernetes from Canonical

Enterprise Kubernetes from Canonical

Enterprise Kubernetes from Canonical

Dustin Kirkland

#ATAGTR2019 Presentation "What’s your Cloud Assurance Strategy?" By Sai Subra...

#ATAGTR2019 Presentation "What’s your Cloud Assurance Strategy?" By Sai Subra...

#ATAGTR2019 Presentation "What’s your Cloud Assurance Strategy?" By Sai Subra...

Agile Testing Alliance

Docker containers have brought great opportunities to shorten the deployment process through continuous integration and delivery of applications and microservices. This applies equally to enterprise datacenters as well the cloud. Jari discuss the solutions and benefits of a deeply-integrated deployment pipeline for using technologies such as container management platforms, Docker containers, and CI/CD solutions. He also demonstrated deployment of a CI/CD pipeline using container management, as well as showed how to deploy a containerized application using Github, Travis, Kontena, CoreOS and DigitalOcean with a continuous delivery pipeline. Attendees learned how the deployment process can be automated and significantly sped up by using containers and modern CI/CD pipeline tools. Through the demo example, the attendees will see an example of how this is built and run using the mentioned CI/CD solutions. This showed them how a continuous delivery pipeline will help streamline their processes and make deployments more agile.

CD NYC From Source Code to Production

CD NYC From Source Code to Production

CD NYC From Source Code to Production

Real World CI/CD with Kubernetes

Real World CI/CD with Kubernetes

Real World CI/CD with Kubernetes

2015 was a good year for the new Docker. Between Docker Engine evolution (network, volumes,...), the new Enterprise oriented products (Trusted Registry, Universal Control plane), Docker Swarm 1.0... Docker is now a corner stone in the IT world and is part of the DevOps vision. After a presentation of the DockerCon EU 2015 which happened last November in Barcelona, we will present the news from the Docker eco-system, and the improvement achieved to make easier for the adoption of Docker in production.

What's hot docker con eu 2015 & what's new on docker 1.9

What's hot docker con eu 2015 & what's new on docker 1.9

What's hot docker con eu 2015 & what's new on docker 1.9

Kubernetes and bluemix

Kubernetes and bluemix

Kubernetes and bluemix

Docker containers are all the rage nowadays. We all heard of them - the marvelous new kid on the block which runs on Linux. But what about all of us Windows developers? You know… that OS with the four squares… Who use the FULL .NET framework? Who run on Windows? Who LOVE Windows?? Enter Windows Containers. Windows containers are containers just like the Docker containers you know and love which work with the same Docker tools, but with one BIG difference - they run on Windows! In this one hour session I'll show you what are Windows Containers and how you can use them to easily package and deploy your Windows applications, services, IIS apps and Windows dependencies such as SQL Server to a Windows cluster using standard and familiar Docker tools.

Windows Containers

Windows Containers

Windows Containers

Docker Meetup Feb 2018 Develop and deploy Kubernetes Apps with Docker

Docker Meetup Feb 2018 Develop and deploy Kubernetes Apps with Docker

Docker Meetup Feb 2018 Develop and deploy Kubernetes Apps with Docker

Patrick Chanezon

Current State of Docker Platform - Nov 2019

Current State of Docker Platform - Nov 2019

Current State of Docker Platform - Nov 2019

Ajeet Singh Raina

.Net: Introduction, trends and future

.Net: Introduction, trends and future

.Net: Introduction, trends and future

Demystifying Docker101

Demystifying Docker101

Demystifying Docker101

Ajeet Singh Raina

Intro to Eclipse Che, by Tyler Jewell

Intro to Eclipse Che, by Tyler Jewell

Intro to Eclipse Che, by Tyler Jewell

How to share a Kubernetes cluster securely through Lens spaces

How to share a Kubernetes cluster securely through Lens spaces

How to share a Kubernetes cluster securely through Lens spaces

What's hot (20)

Implementing Lightweight Kubernetes(K3s) on Raspberry Pi Stack - Sangam Biradar

Implementing Lightweight Kubernetes(K3s) on Raspberry Pi Stack - Sangam Biradar

Implementing Lightweight Kubernetes(K3s) on Raspberry Pi Stack - Sangam Biradar

Kubernetes configuration and security policies with KubeLinter | DevNation Te...

Kubernetes configuration and security policies with KubeLinter | DevNation Te...

Kubernetes configuration and security policies with KubeLinter | DevNation Te...

SMART Cloud - K8s in produzione - best practices

SMART Cloud - K8s in produzione - best practices

SMART Cloud - K8s in produzione - best practices

Building Rich Applications with Appcelerator

Building Rich Applications with Appcelerator

Building Rich Applications with Appcelerator

Jenkins in the real world - DevOpsCon 2017

Jenkins in the real world - DevOpsCon 2017

Jenkins in the real world - DevOpsCon 2017

Introduction to Eclipse Che / EclipseCon 2014

Introduction to Eclipse Che / EclipseCon 2014

Introduction to Eclipse Che / EclipseCon 2014

Orchestrating Microservices with Kubernetes

Orchestrating Microservices with Kubernetes

Orchestrating Microservices with Kubernetes

Enterprise Kubernetes from Canonical

Enterprise Kubernetes from Canonical

Enterprise Kubernetes from Canonical

#ATAGTR2019 Presentation "What’s your Cloud Assurance Strategy?" By Sai Subra...

#ATAGTR2019 Presentation "What’s your Cloud Assurance Strategy?" By Sai Subra...

#ATAGTR2019 Presentation "What’s your Cloud Assurance Strategy?" By Sai Subra...

CD NYC From Source Code to Production

CD NYC From Source Code to Production

CD NYC From Source Code to Production

Real World CI/CD with Kubernetes

Real World CI/CD with Kubernetes

Real World CI/CD with Kubernetes

What's hot docker con eu 2015 & what's new on docker 1.9

What's hot docker con eu 2015 & what's new on docker 1.9

What's hot docker con eu 2015 & what's new on docker 1.9

Kubernetes and bluemix

Kubernetes and bluemix

Kubernetes and bluemix

Windows Containers

Windows Containers

Windows Containers

Docker Meetup Feb 2018 Develop and deploy Kubernetes Apps with Docker

Docker Meetup Feb 2018 Develop and deploy Kubernetes Apps with Docker

Docker Meetup Feb 2018 Develop and deploy Kubernetes Apps with Docker

Current State of Docker Platform - Nov 2019

Current State of Docker Platform - Nov 2019

Current State of Docker Platform - Nov 2019

.Net: Introduction, trends and future

.Net: Introduction, trends and future

.Net: Introduction, trends and future

Demystifying Docker101

Demystifying Docker101

Demystifying Docker101

Intro to Eclipse Che, by Tyler Jewell

Intro to Eclipse Che, by Tyler Jewell

Intro to Eclipse Che, by Tyler Jewell

How to share a Kubernetes cluster securely through Lens spaces

How to share a Kubernetes cluster securely through Lens spaces

How to share a Kubernetes cluster securely through Lens spaces

Similar to Can Kubernetes Keep a Secret? - Women in AppSec Webinar

We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real.

Can Kubernetes Keep a Secret?

Can Kubernetes Keep a Secret?

Can Kubernetes Keep a Secret?

Kamus intro

Using CredHub for Kubernetes Deployments

Using CredHub for Kubernetes Deployments

Using CredHub for Kubernetes Deployments

Kubernetes Secrets Management on Production with Demo

Kubernetes Secrets Management on Production with Demo

Kubernetes Secrets Management on Production with Demo

In this talk I will show how to save secret keys in Docker containers and K8s in production and best practices for saving and securing distribution of secrets. With Docker and k8s secrets we can manage information related to keys that are needed at runtime but cannot be exposed in the Docker image or source code repository. These could be the main talking points: 1.Challenges of security and secret keys in containers 2.Best practices for saving and securing distribution of secrets in Docker Containers 3.Managing secrets in Kubernetes using volumes and sealed-secrets 4.Other tools for distributing secrets in containers like Hashicorp Vault and KeyWhiz

Sharing secret keys in Docker containers and K8s

Sharing secret keys in Docker containers and K8s

Sharing secret keys in Docker containers and K8s

Jose Manuel Ortega Candel

Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023

Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023

Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023

TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...

TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...

TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...

Kubernetes Security

Kubernetes Security

Kubernetes Security

Karthik Gaekwad

London HUG 19/5 - Kubernetes and vault

London HUG 19/5 - Kubernetes and vault

London HUG 19/5 - Kubernetes and vault

London HashiCorp User Group

10 tips for Cloud Native Security

10 tips for Cloud Native Security

10 tips for Cloud Native Security

Karthik Gaekwad

Kubernetes is a fast-paced project and things move really fast. In deploying applications, you have several options like raw YAML files, Helm, or Operator but what are the pros and cons of each? This talk will explore the right ways to manage your production applications through seamless installation, the patch fixes, and upgrades. Several demos will be used on a live cluster to illustrate how things can be done the right way that makes life very easy for the DevOps.

Managing kubernetes deployment with operators

Managing kubernetes deployment with operators

Managing kubernetes deployment with operators

Cloud Technology Experts

Operationalizing Docker at Scale: Lessons from Running Microservices in Produ...

Operationalizing Docker at Scale: Lessons from Running Microservices in Produ...

Operationalizing Docker at Scale: Lessons from Running Microservices in Produ...

DevSecOps in a cloudnative world

DevSecOps in a cloudnative world

DevSecOps in a cloudnative world

Karthik Gaekwad

Creating a single microservice is a well understood problem. Creating a cluster of load-balanced microservices that are resilient and self-healing is not so easy. Managing that cluster with rollouts and rollbacks, scaling individual services on demand, securely sharing secrets and configuration among services is even harder. Kubernetes, an open-source container management system, can help with this. In this talk, we will start with a simple microservice, containerize it using Docker, and scale it to a cluster of resilient microservices managed by Kubernetes. Along the way, we will learn what makes Kubernetes a great system for automating deployment, operations, and scaling of containerized applications.

Resilient microservices with Kubernetes - Mete Atamel

Resilient microservices with Kubernetes - Mete Atamel

Resilient microservices with Kubernetes - Mete Atamel

Happy Helming With Okteto

Happy Helming With Okteto

Happy Helming With Okteto

Join us for a webinar on how to secure your CI/CD pipeline for Kubernetes with GitOps best practices and continuous runtime protection. As modern developers and DevOps teams are embarking on a quest for speed and reliability through automated CI/CD pipelines for Kubernetes, enterprises still need to ensure security and regulatory compliance. Together with Deepfence, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines, combined with continuous security observability, improves the overall security of your development workflow - from Git to production. In this webinar we will demonstrate: Deepfence container scanning Git-to-Kubernetes using FluxCD Deepfence continuous runtime security

Hardening Your CI/CD Pipelines with GitOps and Continuous Security

Hardening Your CI/CD Pipelines with GitOps and Continuous Security

Hardening Your CI/CD Pipelines with GitOps and Continuous Security

Knolx_ Sealed Secrets

Knolx_ Sealed Secrets

Knolx_ Sealed Secrets

A talk given at DevOps Pro Vilnius on March 15, 2018 about container security. In this talk we discussed the core topics around the container ecosystem (host, runtime, image) applicable to both Docker and Kubernetes, as well as discussing usable security/secure by default, and defense in depth principles. Also discussed were security futures like Project Grafeas, libentitlement, LinuxKit concepts, and trusted/untrusted container runtimes in Kubernetes.

It's 2018. Are My Containers Secure Yet!?

It's 2018. Are My Containers Secure Yet!?

It's 2018. Are My Containers Secure Yet!?

Amid pressure to develop faster and release more frequently, the software supply chain has changed significantly in the last few years. The processes and tooling that support our accelerated development introduce new opportunities for cybercrime. Few companies have the time, resources or knowledge to correctly assess their security posture. As a result, supply chain attacks have increased dramatically in the past 5+ years.

Supply chain security - Develop quickly without inviting The Nefarious.pptx

Supply chain security - Develop quickly without inviting The Nefarious.pptx

Supply chain security - Develop quickly without inviting The Nefarious.pptx

Watch the presentation on YouTube: https://youtu.be/_DvFbN-VR3I Many companies and organizations have adopted CI/CD processes in order to help deliver applications running on Kubernetes quickly, transparently, and with automated tests. While this is a desirable goal, it gets more complex when developing a management layer on top of k8s, especially when both images and helm charts are involved. In developing IBM Cloud Private, we have implemented a CI/CD process that automates promotion through a series of quality gates where we 1) Ensure that all charts (43) and images (135) are in sync across three supported architectures 2) Deploy instances of ICP clusters with different topologies, management services, and infrastructure 3) Run automated and manual functional and security regression tests against those clusters. Since implementation, have we have been able to iterate more quickly by discovering issues earlier in the development process.

Kubecon 2019 - Promoting Kubernetes CI/CD to the Next Level

Kubecon 2019 - Promoting Kubernetes CI/CD to the Next Level

Kubecon 2019 - Promoting Kubernetes CI/CD to the Next Level

Similar to Can Kubernetes Keep a Secret? - Women in AppSec Webinar (20)

Can Kubernetes Keep a Secret?

Can Kubernetes Keep a Secret?

Can Kubernetes Keep a Secret?

Kamus intro

Using CredHub for Kubernetes Deployments

Using CredHub for Kubernetes Deployments

Using CredHub for Kubernetes Deployments

Kubernetes Secrets Management on Production with Demo

Kubernetes Secrets Management on Production with Demo

Kubernetes Secrets Management on Production with Demo

Sharing secret keys in Docker containers and K8s

Sharing secret keys in Docker containers and K8s

Sharing secret keys in Docker containers and K8s

Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023

Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023

Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023

TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...

TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...

TDC2017 | São Paulo - Trilha Cloud Computing How we figured out we had a SRE ...

Kubernetes Security

Kubernetes Security

Kubernetes Security

London HUG 19/5 - Kubernetes and vault

London HUG 19/5 - Kubernetes and vault

London HUG 19/5 - Kubernetes and vault

10 tips for Cloud Native Security

10 tips for Cloud Native Security

10 tips for Cloud Native Security

Managing kubernetes deployment with operators

Managing kubernetes deployment with operators

Managing kubernetes deployment with operators

Operationalizing Docker at Scale: Lessons from Running Microservices in Produ...

Operationalizing Docker at Scale: Lessons from Running Microservices in Produ...

Operationalizing Docker at Scale: Lessons from Running Microservices in Produ...

DevSecOps in a cloudnative world

DevSecOps in a cloudnative world

DevSecOps in a cloudnative world

Resilient microservices with Kubernetes - Mete Atamel

Resilient microservices with Kubernetes - Mete Atamel

Resilient microservices with Kubernetes - Mete Atamel

Happy Helming With Okteto

Happy Helming With Okteto

Happy Helming With Okteto

Hardening Your CI/CD Pipelines with GitOps and Continuous Security

Hardening Your CI/CD Pipelines with GitOps and Continuous Security

Hardening Your CI/CD Pipelines with GitOps and Continuous Security

Knolx_ Sealed Secrets

Knolx_ Sealed Secrets

Knolx_ Sealed Secrets

It's 2018. Are My Containers Secure Yet!?

It's 2018. Are My Containers Secure Yet!?

It's 2018. Are My Containers Secure Yet!?

Supply chain security - Develop quickly without inviting The Nefarious.pptx

Supply chain security - Develop quickly without inviting The Nefarious.pptx

Supply chain security - Develop quickly without inviting The Nefarious.pptx

Kubecon 2019 - Promoting Kubernetes CI/CD to the Next Level

Kubecon 2019 - Promoting Kubernetes CI/CD to the Next Level

Kubecon 2019 - Promoting Kubernetes CI/CD to the Next Level

More from Soluto

Microservices are social constructs: they can’t function without talking with other services. This also raises an interesting question: do we trust all of our microservices? Not all microservices are the same: some are more sensitive - for example, services that handle personal user data or payment information. Others are user-facing and therefore riskier. We shouldn’t treat all services as equal. A robust mechanism that describes who can talk with who is required. We have been dealing with this challenge for a while at Soluto. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. I’ll share how we build this solution (including all the technical details and live demos!), using open source tools like Open Policy Agent, so you can easily build something similar.

Solving trust issues at scale - AppSec California

Solving trust issues at scale - AppSec California

Solving trust issues at scale - AppSec California

Micro-services are social beings: they can’t function without talking with other services. Every microservice has its own domain, and it usually relies on other micro-services to function properly. But this also raises an interesting question: do we trust all of our micro-services? The truth is that not all micro-services are the same: some micro-services are more sensitive - for example, services that handle user data. Others are user-facing and therefore riskier. We cannot treat all services as equal. We need a good and robust mechanism to describe who can talk with who. At Soluto, we are dealing with this challenge for a while. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. In talk, I’ll share how we build this solution, using open source tools like Open Policy Agent, so you can easily build something similar.

Solving trust issues at scale

Solving trust issues at scale

Solving trust issues at scale

We at Soluto decided to give Istio a try, and started to gradually roll it out in our production environment. While doing that, we had a lot of *interesting* experiences that we weren't aware off - and we'll be happy to share it with you so you can learn from our experience. In the talk, I'll cover issues like high availability, reliability and monitoring - and also production issues we encounter. We do hope that until the meetup we can say that we have istio deployed in production :)

Things I wish someone had told me about Istio, Omer Levi Hevroni

Things I wish someone had told me about Istio, Omer Levi Hevroni

Things I wish someone had told me about Istio, Omer Levi Hevroni

The Dark Side of Monitoring

The Dark Side of Monitoring

The Dark Side of Monitoring

There are so many sophisticated ways to exploit web applications, that it’s almost impossible for a developer to write completely secure code. But we can’t accept this situation. We can’t expose our users (and our user's data) to hackers. So what we can do? We can switch from defense to offense. We can take hacking tools, used by malicious hackers, and use them to test our web application for security issues. In this talk, we will take a vulnerable web application, and try to find as many vulnerabilities as we can - using only automated tools. I’ll discuss the vulnerabilities we find, explain why we should care - and how we can remediate it securely. All the tools I’ll use are tools you can start using today - to scan your applications and make sure you deploy more secure applications.

Hacking like a FED

Hacking like a FED

Hacking like a FED

Monitoria@Icinga camp berlin

Monitoria@Icinga camp berlin

Monitoria@Icinga camp berlin

Writing good code is a challenge. Writing a code that is working, maintainable and secure is very hard to achieve. This is why we need automation – to spot the issues we missed. Tools like unit tests, code coverage or security tests can help detect various issues and help us write better code. This talk will focus on security tests – what kinds of tests exist? What value they have? And most important, what tools what can use to start running these tests today? > The talk will contain a live (and hopefully interactive) demo of the tools, to demo what issues they can detect. All the tools that I’ll discuss are free OSS software that you can start using today.

Secure Your Pipeline

Secure Your Pipeline

Secure Your Pipeline

React new features and intro to Hooks

React new features and intro to Hooks

React new features and intro to Hooks

Secure the Pipeline - OWASP Poland Day 2018

Secure the Pipeline - OWASP Poland Day 2018

Secure the Pipeline - OWASP Poland Day 2018

Monitoria@reversim

Monitoria@reversim

Monitoria@reversim

Those are slides from Dev.IL meetup talk, by Or Rosenblatt & Yshay Yaacobi from Soluto RND https://www.meetup.com/Dev-IL/events/253252917/ ------------------------- You developed a cool java infrastructure for your team. Your team then shifts to python, so you rewrite the utility in python. Then the team next door asks you to do the same rewrite for their node/typescript service. You ask for a raise and write it again in typescript. Now your colleague reads in HackerNews about the next cool trending language in the block. Ain’t nobody got time for that!!!  Join us to hear how the powerful combination sidecar pattern and Kubernetes can help you solve this issue by allowing different services to use the same utility, regardless of stack or language. You will become stack-free forever!

Languages don't matter anymore!

Languages don't matter anymore!

Languages don't matter anymore!

Everybody wants to run their code on Kubernetes these days, but it requires a radical change to your deployment process. You want to make sure you don’t create new vulnerabilities when you take this leap. What kind of security tests can you run in this pipeline to assert that this code does not contain any known vulnerabilities? At Soluto, we started to migrate services to Kubernetes in the recent months, and we would like to share with you what we did. In this session I’m planning to cover our CI/CD pipeline, and give extra attention to the following points: Scanning code dependencies Scanning containers Testing for insecure Kubernetes configurations Securely deploy to Kubernetes cluster Join this session to hear our story and learn about many useful tools you can start using today to deploy secure apps to your Kubernetes cluster. All the tools I’ll present are open source tools, so using them should be as simple as possible.

Security Testing for Containerized Applications

Security Testing for Containerized Applications

Security Testing for Containerized Applications

We all know that running security tests on a CI can gives us a lot of value. And we all know already a few good security tools that we are running or planning to run continuously to ensure our app stays secure. But integrating those tools into the CI is not a simple task. Each one of those tools has it's own API and does not always support all the features we want. For example, we might want to report the finding of each tools as TeamCity tests, or maybe we are using Jira and want to open a new issue for each finding. And what about filtering false positives? Any automated tool will produce false positive findings, but how can we filter them? In this talk I'll demo OWASP Glue - a tool that aims to ease the integration of various security tools into the CI/CD pipeline. The talk was presented on DevSecOps meetup

Owasp glue

Unify logz with fluentd

Unify logz with fluentd

Unify logz with fluentd

Storing data in Redis like a pro

Storing data in Redis like a pro

Storing data in Redis like a pro

Monitor all the thingz slideshare

Monitor all the thingz slideshare

Monitor all the thingz slideshare

Authentication without Authentication - AppSec California

Authentication without Authentication - AppSec California

Authentication without Authentication - AppSec California

Authentication without Authentication - Peerlyst meetup

Authentication without Authentication - Peerlyst meetup

Authentication without Authentication - Peerlyst meetup

Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology). Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)

Security Testing with Zap

Security Testing with Zap

Security Testing with Zap

Authentication Without Authentication

Authentication Without Authentication

Authentication Without Authentication

More from Soluto (20)

Solving trust issues at scale - AppSec California

Solving trust issues at scale - AppSec California

Solving trust issues at scale - AppSec California

Solving trust issues at scale

Solving trust issues at scale

Solving trust issues at scale

Things I wish someone had told me about Istio, Omer Levi Hevroni

Things I wish someone had told me about Istio, Omer Levi Hevroni

Things I wish someone had told me about Istio, Omer Levi Hevroni

The Dark Side of Monitoring

The Dark Side of Monitoring

The Dark Side of Monitoring

Hacking like a FED

Hacking like a FED

Hacking like a FED

Monitoria@Icinga camp berlin

Monitoria@Icinga camp berlin

Monitoria@Icinga camp berlin

Secure Your Pipeline

Secure Your Pipeline

Secure Your Pipeline

React new features and intro to Hooks

React new features and intro to Hooks

React new features and intro to Hooks

Secure the Pipeline - OWASP Poland Day 2018

Secure the Pipeline - OWASP Poland Day 2018

Secure the Pipeline - OWASP Poland Day 2018

Monitoria@reversim

Monitoria@reversim

Monitoria@reversim

Languages don't matter anymore!

Languages don't matter anymore!

Languages don't matter anymore!

Security Testing for Containerized Applications

Security Testing for Containerized Applications

Security Testing for Containerized Applications

Owasp glue

Unify logz with fluentd

Unify logz with fluentd

Unify logz with fluentd

Storing data in Redis like a pro

Storing data in Redis like a pro

Storing data in Redis like a pro

Monitor all the thingz slideshare

Monitor all the thingz slideshare

Monitor all the thingz slideshare

Authentication without Authentication - AppSec California

Authentication without Authentication - AppSec California

Authentication without Authentication - AppSec California

Authentication without Authentication - Peerlyst meetup

Authentication without Authentication - Peerlyst meetup

Authentication without Authentication - Peerlyst meetup

Security Testing with Zap

Security Testing with Zap

Security Testing with Zap

Authentication Without Authentication

Authentication Without Authentication

Authentication Without Authentication

Recently uploaded

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

I'm excited to share my latest predictions on how AI, robotics, and other technological advancements will reshape industries in the coming years. The slides explore the exponential growth of computational power, the future of AI and robotics, and their profound impact on various sectors. Why this matters: The success of new products and investments hinges on precise timing and foresight into emerging categories. This deck equips founders, VCs, and industry leaders with insights to align future products with upcoming tech developments. These insights enhance the ability to forecast industry trends, improve market timing, and predict competitor actions. Highlights: ▪ Exponential Growth in Compute: How $1000 will soon buy the computational power of a human brain ▪ Scaling of AI Models: The journey towards beyond human-scale models and intelligent edge computing ▪ Transformative Technologies: From advanced robotics and brain interfaces to automated healthcare and beyond ▪ Future of Work: How automation will redefine jobs and economic structures by 2040 With so many predictions presented here, some will inevitably be wrong or mistimed, especially with potential external disruptions. For instance, a conflict in Taiwan could severely impact global semiconductor production, affecting compute costs and related advancements. Nonetheless, these slides are intended to guide intuition on future technological trends.

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Peter Udo Diehl

Discover the essentials of performance testing in the IT sector with our concise guide. Learn about various testing types such as load, stress, endurance, spike, scalability, and volume testing. Understand key performance metrics like response time, throughput, CPU and memory utilization, and error rate. Explore top tools like Apache JMeter, LoadRunner, Gatling, Neoload, and BlazeMeter. Gain insights into best practices for defining objectives, creating realistic scenarios, automating tests, and optimizing performance to ensure user satisfaction, reliability, scalability, and cost efficiency. Ideal for developers, QA engineers, and IT professionals. Visit Expeed Software for more information. https://expeed.com/

In-Depth Performance Testing Guide for IT Professionals

In-Depth Performance Testing Guide for IT Professionals

In-Depth Performance Testing Guide for IT Professionals

Expeed Software

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

JMeter webinar - integration with InfluxDB and Grafana

JMeter webinar - integration with InfluxDB and Grafana

JMeter webinar - integration with InfluxDB and Grafana

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

Knowledge engineering: from people to machines and back

Knowledge engineering: from people to machines and back

Knowledge engineering: from people to machines and back

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Join us as we dive into the latest updates to the UiPath Orchestrator API, including new limits and features for 2024. Discover how these changes can enhance your automation projects and streamline your workflows. 📚 Overview of UiPath Orchestrator API 🔧 Recent changes to API limits 🛠️ How to adapt to new limits 📋 Best practices for using the Orchestrator API efficiently ❓ Q&A session

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Intrigued by why some of the world's largest companies (Netflix, Google, Cisco, Twitter, Uber etc) are using gRPC? In this demo based talk we delve into the world of gRPC in .Net, what it does and why we should use it. We compare the interface with both Rest and graphQL. We will show you how to implement grpc server-side in .net and in the web. Finally, I will show you how the tooling helps you deliver powerful interfaces and interact with them quickly and simply.

Demystifying gRPC in .Net by John Staveley

Demystifying gRPC in .Net by John Staveley

Demystifying gRPC in .Net by John Staveley

IoT Analytics Company Presentation May 2024

IoT Analytics Company Presentation May 2024

IoT Analytics Company Presentation May 2024

Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”. All of this illustrated with link prediction over knowledge graphs, but the argument is general.

Neuro-symbolic is not enough, we need neuro-*semantic*

Neuro-symbolic is not enough, we need neuro-*semantic*

Neuro-symbolic is not enough, we need neuro-*semantic*

Frank van Harmelen

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

ODC, Data Fabric and Architecture User Group

ODC, Data Fabric and Architecture User Group

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

Key Trends Shaping the Future of Infrastructure.pdf

Key Trends Shaping the Future of Infrastructure.pdf

Key Trends Shaping the Future of Infrastructure.pdf

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

Connector Corner: Automate dynamic content and events by pushing a button

Connector Corner: Automate dynamic content and events by pushing a button

Connector Corner: Automate dynamic content and events by pushing a button

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

In-Depth Performance Testing Guide for IT Professionals

In-Depth Performance Testing Guide for IT Professionals

In-Depth Performance Testing Guide for IT Professionals

JMeter webinar - integration with InfluxDB and Grafana

JMeter webinar - integration with InfluxDB and Grafana

JMeter webinar - integration with InfluxDB and Grafana

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

Knowledge engineering: from people to machines and back

Knowledge engineering: from people to machines and back

Knowledge engineering: from people to machines and back

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Demystifying gRPC in .Net by John Staveley

Demystifying gRPC in .Net by John Staveley

Demystifying gRPC in .Net by John Staveley

IoT Analytics Company Presentation May 2024

IoT Analytics Company Presentation May 2024

IoT Analytics Company Presentation May 2024

Neuro-symbolic is not enough, we need neuro-*semantic*

Neuro-symbolic is not enough, we need neuro-*semantic*

Neuro-symbolic is not enough, we need neuro-*semantic*

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

ODC, Data Fabric and Architecture User Group

ODC, Data Fabric and Architecture User Group

ODC, Data Fabric and Architecture User Group

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Key Trends Shaping the Future of Infrastructure.pdf

Key Trends Shaping the Future of Infrastructure.pdf

Key Trends Shaping the Future of Infrastructure.pdf

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Connector Corner: Automate dynamic content and events by pushing a button

Connector Corner: Automate dynamic content and events by pushing a button

Connector Corner: Automate dynamic content and events by pushing a button

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Can Kubernetes Keep a Secret? - Women in AppSec Webinar

1. @omerlh Can Kubernetes Keep a Secret? Omer Levi Hevroni October 2019

2. @omerlh@omerlh

3. @omerlh I’m a builder @omerlh

4. @omerlh DevSecOps @

5. @omerlh I OWASP • Zap contributor • Proud member • Glue project leader

7. @omerlh @omerlh Kubernetes: Container Orchestration Platform

8. @omerlh Containers

9. @omerlh Kubernetes 101 Kubernetes Icons Source: Kubernetes Community, Apache 2 license Cluster Name space

11. @omerlh Super-Devs: Full Responsibility ● Writing Code ● Deploying to Production ● Monitoring https://www.imdb.com/title/tt4016454/mediaviewer/rm2380811776

12. @omerlh Super-Devs Need Help ● Good tools to support them ● Make it harder to do mistakes ● Secure by design

14. @omerlh Kubernetes Manifest Files

15. @omerlh Manifests Files Code A GitOps Solution Kubernetes Icons Source: Kubernetes Community, Apache 2 license

16. @omerlh How do we manage secrets?

17. @omerlh Manifests Files Code Secret A GitOps Solution Kubernetes Icons Source: Kubernetes Community, Apache 2 license

18. @omerlh Requirements  GitOps  Kubernetes native  Secure  “One-way encryption”

19. @omerlh Pod is out of scope ● Who can “SSH” into it? ● What is running on the pod? ● Does the code leaked the secrets?

20. @omerlh Let’s Go!

21. @omerlh First iteration – Kubernetes Secrets

22. @omerlh https://kubernetes.io/docs/concepts/configuration/secret/

23. @omerlh Secrets Manifest File

24. @omerlh Requirements  GitOps  Kubernetes native  Secure

25. @omerlh@omerlh

26. @omerlh Secrets Manifest File

27. @omerlh Well, that complicates things… http://i.imgur.com/5ebYy62.jpg @omerlh

28. @omerlh Requirements  GitOps – under some serious limitations  Kubernetes native  Secure – depend on usage

30. @omerlh Travis Encrypted Secrets https://docs.travis-ci.com/user/encryption-keys/

31. @omerlh Eureka! http://theunprofessionalblog.blogspot.com/2016/04/whatsapp-this-is-killing-me.html

32. @omerlh Second iteration – Kamus Travis secret encryption – for Kubernetes

33. @omerlh What? ● An open source project by Soluto ● Allows to encrypt a secret for a specific application

34. @omerlh Application Identity?

35. @omerlh Service Account Token (JWT)

36. @omerlh Encrypting for a specific application

37. @omerlh Encrypting for a specific application

38. @omerlh Manifests Files Code Encrypted Secret A GitOps Solution Kubernetes Icons Source: Kubernetes Community, Apache 2 license

39. @omerlh Secret Decryption Kubernetes Icons Source: Kubernetes Community, Apache 2 license

40. @omerlh Kamus?

41. @omerlh Let’s talk about security

42. @omerlh Permission Model Encrypt Decrypt User Yes (Can be limited) No Pod Yes Only it’s own secrets

43. @omerlh Security Features ● Secured CLI ○ Enforce HTTPS ○ Support for certificate pinning ● Strong encryption (using Azure KeyVault, AWS/GCP KMS) ○ HSM protection ● One-way encryption ● Security tests

44. @omerlh Public Threat Model https://kamus.soluto.io/docs/threatmodeling/threats_controls/

45. @omerlh Security.md https://github.com/Soluto/kamus/blob/master/security.md

46. @omerlh Kamus - A perfect solution  GitOps  Kubernetes native  Secure

47. @omerlh How can I use it? ● Simply using helm: helm install kamus soluto/kamus ● Checkout the install guide for a secure installation ● Blog post - https://bit.ly/2T2Nhgs

48. @omerlh Wrapping Up

49. @omerlh Solutions GitOps Kubernetes Native Secure Kubernetes Secrets It depends Yes It depends Kamus Yes Yes Yes

50. @omerlh Can Kubernetes Keep a Secret? @omerlh

51. @omerlh Kamus Enable Super-Devs to Fly Higher https://www.imdb.com/title/tt4016454/mediaviewer/rm2380811776

52. @omerlh Thank You! Omer Levi Hevroni October 2019

Editor's Notes

Hey, good morning everyone My name is Omer I want to start this talk by showing gratitude First, to all the people who worked hard on organizing this conf and all the people who are working today so we all could enjoy it - thank you Second, I want to thank the organizers who choose me to speak here, so thank you. It is a big honor <pause> Can kubernetes keep a secret? <pause> Why? Raise you’re hand if you ever worked on a project and you had to deal with credentials: API Key, client secret, certificates etc
What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it? But first – let me introduce myself quickly, so you could understand what are my credentials and where I’m coming from.
I’m a builder, this is what I love doing and doing it from a really early age Doing it professionally for the last 8 years I’m from Israel, married etc Who else is a builder? This talk is for you!
Today I’m working at Soluto, our missing is to help people with their technology My job is DevSecOps, or as I see it - helping the entire team to build a more secure software I’m achieving it via many approaches, including education, reviewing and threat modeling – but what I love the most is threat modeling
Big part of my work is OWASP, I’m enthusiast and familiar to many project. I contributed code to projects, mainly Zap and Glue and I’m a paid memember and project leader of Glue. Glue is a tool that helps to integrate security tools into the CI/CD pipeline – I will not have time to dive into the tool, but come talk with me later about it – I have stickers 
What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it?
What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it?
Explain why it is a challenge – you cant expect one person to manage all secrets Why not solved it manually
Explain why it is a challenge – you cant expect one person to manage all secrets Why not solved it manually
And that’s why we love GitOps: Git is a tool that all devs are familiar with.
And we started to look for solutions. It want not an easy path, and today I want to share with you the process we want through. So, let’s start we talking on what we want.
Choose one sentence
Security features like encryption at rest
Security is what we all here love
Security features like encryption at rest
Encoding is not encrypting Adding native approach
Security is what we all here love
Security is what we all here love
Battle tested
Add attributation
We really love Kamus, we’re been using it in production for the past 6 months
End of journey meme/image
Today I discussed 3 different solutions for secret management on Kubenretes. All are good solutions, depend on your requirments.
I started the talk by asking “Can Kubernetes keep a secret?” Now you that yes – Kubernetes can. You just need to use the right tool for you’re use case.
For us, it was Kamus What Kamus can do for you?