We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real.
26. @omerlh
Issues
● Key Management
○ Sealed Secret – single key-pair in the cluster
○ Helm Secret – based on Mozilla mops (AWS/GCP KMS support)
○ Coupled to a specific cluster/deployment method
51. @omerlh
How can I use it?
● Simply using helm:
helm install kamus soluto/kamus
● Checkout the install guide for a
secure installation
● Blog post - https://bit.ly/2T2Nhgs
52. @omerlh
Kamus Roadmap
● Rolling encryption keys
● Quality – improve test coverage
● Non-Kubernetes deployments
● SPIFFE support
Hey, good morning everyone
My name is Omer
I want to start this talk by showing gratitude
First, to all the people who worked hard on organizing this conf and all the people who are working today so we all could enjoy it - thank you
Second, I want to thank the organizers who choose me to speak here, so thank you. It is a big honor
<pause>
Can kubernetes keep a secret?
<pause>
Why?
Raise you’re hand if you ever worked on a project and you had to deal with credentials: API Key, client secret, certificates etc
What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad).
This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it?
But first – let me introduce myself quickly, so you could understand what are my credentials and where I’m coming from.
I’m a builder, this is what I love doing and doing it from a really early age
Doing it professionally for the last 8 years
I’m from Israel, married etc
Who else is a builder? This talk is for you!
Today I’m working at Soluto, our missing is to help people with their technology
My job is DevSecOps, or as I see it - helping the entire team to build a more secure software
I’m achieving it via many approaches, including education, reviewing and threat modeling – but what I love the most is threat modeling
About me slides
What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad).
This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it?
Explain why it is a challenge – you cant expect one person to manage all secrets
Why not solved it manually
Explain why it is a challenge – you cant expect one person to manage all secrets
Why not solved it manually
And that’s why we love GitOps: Git is a tool that all devs are familiar with.
And we started to look for solutions. It want not an easy path, and today I want to share with you the process we want through.
So, let’s start we talking on what we want.
Choose one sentence
Security is what we all here love
Security features like encryption at rest
Encoding is not encrypting
Adding native approach
Add meme
Security is what we all here love
Security is what we all here love
Battle tested
Add attributation
Add headlines – encryptor & decryptor
We really love Kamus, we’re been using it in production for the past 6 months
End of journey meme/image
Today I discussed 3 different solutions for secret management on Kubenretes. All are good solutions, depend on your requirments.
I started the talk by asking “Can Kubernetes keep a secret?”
Now you that yes – Kubernetes can. You just need to use the right tool for you’re use case.