Soluto, profile picture
Uploaded bySoluto
PPTX, PDF354 views

FTRD - Can Kubernetes Keep a Secret?

The document discusses various methods for managing secrets in Kubernetes, highlighting the importance of security and integration with GitOps. It contrasts several approaches including Kubernetes Secrets, HashiCorp Vault, and Kamus, outlining their features and limitations. Kamus is presented as a potential solution that meets the requirements of being GitOps-compatible, Kubernetes-native, and secure.

Embed presentation

Download to read offline
Can Kubernetes Keep a Secret? @omerlh
@omerlh
@omerlh I’m a builder @omerlh
@omerlh DevSecOps @
@omerlh Super-Devs: Full Responsibility ● Writing Code ● Deploying to Production ● Monitoring https://www.imdb.com/title/tt4016454/mediaviewer/rm2380811776
@omerlh Super-Devs Need Help ● Good tools to support them ● Make it harder to do mistakes ● Secure by design
@omerlh
@omerlh Manifests Files Code A GitOps Solution Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh How do we manage secrets?
@omerlh Manifests Files Code Secret A GitOps Solution Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh Requirements  GitOps  Kubernetes native  Secure  “One-way encryption”
@omerlh Pod is out of scope ● Who can “SSH” into it? ● What is running on the pod? ● Does the code leaked the secrets?
@omerlh Let’s Go!
@omerlh First iteration – Kubernetes Secrets
@omerlh https://kubernetes.io/docs/concepts/configuration/secret/
@omerlh Requirements  GitOps  Kubernetes native  Secure
@omerlh
@omerlh GitOps?
@omerlh File Manifest
@omerlh Well, that complicates things… http://i.imgur.com/5ebYy62.jpg @omerlh
@omerlh Naive Approach
@omerlh Encrypted Secrets? ● Secrets that can be committed ● Transparent for the application ● Multiple solutions ○ Helm Secrets ○ Sealed Secrets
@omerlh A Sealed Secret
@omerlh@omerlh
@omerlh Issues ● Key Management ○ Sealed Secret – single key-pair in the cluster ○ Helm Secret – based on Mozilla mops (AWS/GCP KMS support) ○ Coupled to a specific cluster/deployment method
@omerlh Requirements  GitOps – under some serious limitations  Kubernetes native  Secure – depend on usage
@omerlh Second iteration – Hashicorp Vault
@omerlh What? ● Secure secrets storage ● Native Kubernetes integration ● Seamless consuming ○ Side-car to generate config files https://www.vaultproject.io/
@omerlh
@omerlh
@omerlh DevOps
@omerlh Naive Approach
@omerlh Travis Encrypted Secrets https://docs.travis-ci.com/user/encryption-keys/
@omerlh Eureka! http://theunprofessionalblog.blogspot.com/2016/04/whatsapp-this-is-killing-me.html
@omerlh Third iteration – Kamus Travis secret encryption – for Kubernetes https://kamus.soluto.io
@omerlh Manifests Files Code Secret A GitOps Solution Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh A Pod has a Name Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh Let’s Encrypt Some Secrets!
@omerlh Manifests Files Code Secret Encrypted A GitOps Solution Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh
@omerlh A perfect solution?  GitOps  Kubernetes native ? Secure
@omerlh Let’s talk about security
@omerlh Permission Model Encrypt Decrypt User Yes (Can be limited) No Pod Yes Only it’s own secrets
@omerlh Kamus – Threat Model Encryptor Decryptor Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh Mitigations: User ● Secure by default permission model ● Secured CLI ○ Enforce HTTPS ○ Support for certificate pinning
@omerlh Mitigations: Git ● Strong encryption (using Cloud Provider KMS) ○ HSM protection ○ IP Filtering ● One-way encryption
@omerlh Mitigations: Pod ● Secure by default permission model ● In-Memory volume for decrypted files Kubernetes Icons Source: Kubernetes Community, Apache 2 license
@omerlh Mitigations: Kamus API ● Separate pods ● Authentication support for encryptor ● Security tests ○ SAST (Checkmarx) ○ DAST (OWASP Zaproxy) ○ Packages scan (Snyk)
@omerlh Kamus - A perfect solution  GitOps  Kubernetes native  Secure https://kamus.soluto.io/
@omerlh How can I use it? ● Simply using helm: helm install kamus soluto/kamus ● Checkout the install guide for a secure installation ● Blog post - https://bit.ly/2T2Nhgs
@omerlh Kamus Roadmap ● Rolling encryption keys ● Quality – improve test coverage ● Non-Kubernetes deployments ● SPIFFE support
@omerlh Wrapping Up
@omerlh Solutions GitOps Kubernetes Native Secure Kubernetes Secrets It depends Yes It depends Vault No Yes Yes Kamus Yes Yes Yes
@omerlhhttp://www.applestory.biz/hermione-hand-raise-gif.html Questions?
@omerlh Feedback appreciated
@omerlh Can Kubernetes Keep a Secret? @omerlh
@omerlh Kamus Enable Super-Devs to Fly Higher https://www.imdb.com/title/tt4016454/mediaviewer/rm2380811776
Thank You @omerlh https://solutotlv.com

More Related Content

PPTX
Kubernetes Security
byKarthik Gaekwad
 
PPTX
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
bySoluto
 
PDF
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
byLacework
 
PPTX
Auckland Docker Meetup (July 2015) - DockerCon2015 lightningtalk
byPeter Sellars
 
PPT
FTP Commando to Git Hero - WordCamp Denver 2013
byJeremy Green
 
PPTX
Jenkins User Conference 2013: Literate, multi-branch, mobile and more
byKohsuke Kawaguchi
 
PDF
Kubernetes and bluemix
byDuckDuckGo
 
PPTX
Jenkins User Conference 2013 Palo Alto: Keynote
byKohsuke Kawaguchi
 
Kubernetes Security
byKarthik Gaekwad
 
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
bySoluto
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
byLacework
 
Auckland Docker Meetup (July 2015) - DockerCon2015 lightningtalk
byPeter Sellars
 
FTP Commando to Git Hero - WordCamp Denver 2013
byJeremy Green
 
Jenkins User Conference 2013: Literate, multi-branch, mobile and more
byKohsuke Kawaguchi
 
Kubernetes and bluemix
byDuckDuckGo
 
Jenkins User Conference 2013 Palo Alto: Keynote
byKohsuke Kawaguchi
 

What's hot

PDF
Rancher 2.0 Technical Deep Dive
byLINE Corporation
 
PDF
Kubernetes security
byThomas Fricke
 
PDF
Introduction to Kubernetes Security (Aqua & Weaveworks)
byWeaveworks
 
PDF
Kubernetes: A Short Introduction (2019)
byMegan O'Keefe
 
PDF
Kubernetes Security
byinovex GmbH
 
PDF
Kubernetes security and you
byKarthik Gaekwad
 
PPTX
Containerizing a REST API and Deploying to Kubernetes
byAshley Roach
 
PPTX
Introduction to k3s and k3sup
bySaiyam Pathak
 
PPTX
Kubernetes security
bySaiyam Pathak
 
PDF
Kubernetes networking & Security
byVietnam Open Infrastructure User Group
 
PPTX
GitFlow, SourceTree and GitLab
byShinu Suresh
 
PDF
Sonatype DevSecOps Leadership forum 2020
byDaniel Garcia (a.k.a cr0hn)
 
PDF
Kubernetes stack reliability
byOleg Chunikhin
 
PDF
The top 5 Kubernetes metrics to monitor
bySysdig
 
PPTX
SMART Cloud - K8s in produzione - best practices
bySerenaSensini1
 
PDF
Github add ssh key
bylinuxdady
 
PDF
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
byLacework
 
PPTX
Hands-on with Rancher 2.0 and Kubernetes - October 2017 Rancher Online Meetup
byShannon Williams
 
PPTX
Quick and easy way to get started with Git & GitHub
byAshoka R K T
 
PPTX
Next-gen DevOps engineering with Docker and Kubernetes by Antons Kranga
byJavaDayUA
 
Rancher 2.0 Technical Deep Dive
byLINE Corporation
 
Kubernetes security
byThomas Fricke
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
byWeaveworks
 
Kubernetes: A Short Introduction (2019)
byMegan O'Keefe
 
Kubernetes Security
byinovex GmbH
 
Kubernetes security and you
byKarthik Gaekwad
 
Containerizing a REST API and Deploying to Kubernetes
byAshley Roach
 
Introduction to k3s and k3sup
bySaiyam Pathak
 
Kubernetes security
bySaiyam Pathak
 
Kubernetes networking & Security
byVietnam Open Infrastructure User Group
 
GitFlow, SourceTree and GitLab
byShinu Suresh
 
Sonatype DevSecOps Leadership forum 2020
byDaniel Garcia (a.k.a cr0hn)
 
Kubernetes stack reliability
byOleg Chunikhin
 
The top 5 Kubernetes metrics to monitor
bySysdig
 
SMART Cloud - K8s in produzione - best practices
bySerenaSensini1
 
Github add ssh key
bylinuxdady
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
byLacework
 
Hands-on with Rancher 2.0 and Kubernetes - October 2017 Rancher Online Meetup
byShannon Williams
 
Quick and easy way to get started with Git & GitHub
byAshoka R K T
 
Next-gen DevOps engineering with Docker and Kubernetes by Antons Kranga
byJavaDayUA
 

Similar to FTRD - Can Kubernetes Keep a Secret?

PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PPTX
Kamus intro
bySoluto
 
PDF
Knolx_ Sealed Secrets
byKnoldus Inc.
 
PDF
Commit 2024 - Secret Management made easy
byAlfredo García Lavilla
 
PDF
Kubernetes Secrets Management Meap V06 1 All 8 Chapters Alex Soto Bueno Andre...
bycawulineriku
 
PDF
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
byMichaelOLeary82
 
PPTX
Unlocking DevOps Secuirty :Vault & Keylock
byHusseinMalikMammadli
 
PDF
Secrets Management and Delivery to Kubernetes Pods
bySatish Devarapalli
 
PDF
Secrets in Kubernetes
byJerry Jalava
 
PPTX
Can Kubernetes Keep a Secret?
bySoluto
 
PDF
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
byAkeyless
 
PDF
Commit 2024 Secrets Management Made Easy
byAlfredo García Lavilla
 
PDF
Kubernetes Sealed secrets
bySebastien Goasguen
 
PDF
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
byAlfredo García Lavilla
 
PDF
Secrets acrosscloudk8s
byJhonnatan Gil
 
PDF
Deploying Kubernetes without scaring off your security team - KubeCon 2017
byMajor Hayden
 
PDF
Shifting security left simplifying security for k8s open shift environments
byLibbySchulze
 
PDF
Secrets in Kubernetes
byQvik
 
PDF
Vincent Ruijter - ~Securing~ Attacking Kubernetes
byhacktivity
 
PDF
Kubernetes Tutorial
byCi Jie Li
 
Kubernetes and container security
byVolodymyr Shynkar
 
Kamus intro
bySoluto
 
Knolx_ Sealed Secrets
byKnoldus Inc.
 
Commit 2024 - Secret Management made easy
byAlfredo García Lavilla
 
Kubernetes Secrets Management Meap V06 1 All 8 Chapters Alex Soto Bueno Andre...
bycawulineriku
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
byMichaelOLeary82
 
Unlocking DevOps Secuirty :Vault & Keylock
byHusseinMalikMammadli
 
Secrets Management and Delivery to Kubernetes Pods
bySatish Devarapalli
 
Secrets in Kubernetes
byJerry Jalava
 
Can Kubernetes Keep a Secret?
bySoluto
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
byAkeyless
 
Commit 2024 Secrets Management Made Easy
byAlfredo García Lavilla
 
Kubernetes Sealed secrets
bySebastien Goasguen
 
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
byAlfredo García Lavilla
 
Secrets acrosscloudk8s
byJhonnatan Gil
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
byMajor Hayden
 
Shifting security left simplifying security for k8s open shift environments
byLibbySchulze
 
Secrets in Kubernetes
byQvik
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
byhacktivity
 
Kubernetes Tutorial
byCi Jie Li
 

More from Soluto

PPTX
Security Testing with Zap
bySoluto
 
PPTX
The Dark Side of Monitoring
bySoluto
 
PPTX
Storing data in Redis like a pro
bySoluto
 
PDF
React new features and intro to Hooks
bySoluto
 
PPTX
Owasp glue
bySoluto
 
PPTX
Solving trust issues at scale - AppSec California
bySoluto
 
PPTX
Solving trust issues at scale
bySoluto
 
PPTX
Secure the Pipeline - OWASP Poland Day 2018
bySoluto
 
PPTX
Languages don't matter anymore!
bySoluto
 
PPTX
Things I wish someone had told me about Istio, Omer Levi Hevroni
bySoluto
 
PPTX
Security Testing for Containerized Applications
bySoluto
 
PPTX
Unify logz with fluentd
bySoluto
 
PPTX
Hacking like a FED
bySoluto
 
PPTX
Authentication without Authentication - Peerlyst meetup
bySoluto
 
PPTX
Authentication Without Authentication
bySoluto
 
PPTX
Authentication without Authentication - AppSec California
bySoluto
 
PPTX
Monitor all the thingz slideshare
bySoluto
 
PPTX
Monitoria@Icinga camp berlin
bySoluto
 
PDF
Monitoria@reversim
bySoluto
 
PPTX
Secure Your Pipeline
bySoluto
 
Security Testing with Zap
bySoluto
 
The Dark Side of Monitoring
bySoluto
 
Storing data in Redis like a pro
bySoluto
 
React new features and intro to Hooks
bySoluto
 
Owasp glue
bySoluto
 
Solving trust issues at scale - AppSec California
bySoluto
 
Solving trust issues at scale
bySoluto
 
Secure the Pipeline - OWASP Poland Day 2018
bySoluto
 
Languages don't matter anymore!
bySoluto
 
Things I wish someone had told me about Istio, Omer Levi Hevroni
bySoluto
 
Security Testing for Containerized Applications
bySoluto
 
Unify logz with fluentd
bySoluto
 
Hacking like a FED
bySoluto
 
Authentication without Authentication - Peerlyst meetup
bySoluto
 
Authentication Without Authentication
bySoluto
 
Authentication without Authentication - AppSec California
bySoluto
 
Monitor all the thingz slideshare
bySoluto
 
Monitoria@Icinga camp berlin
bySoluto
 
Monitoria@reversim
bySoluto
 
Secure Your Pipeline
bySoluto
 

Recently uploaded

PDF
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 

FTRD - Can Kubernetes Keep a Secret?

Editor's Notes

  • #2 Hey, good morning everyone My name is Omer I want to start this talk by showing gratitude First, to all the people who worked hard on organizing this conf and all the people who are working today so we all could enjoy it - thank you Second, I want to thank the organizers who choose me to speak here, so thank you. It is a big honor <pause> Can kubernetes keep a secret? <pause> Why? Raise you’re hand if you ever worked on a project and you had to deal with credentials: API Key, client secret, certificates etc
  • #3 What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it? But first – let me introduce myself quickly, so you could understand what are my credentials and where I’m coming from.
  • #4 I’m a builder, this is what I love doing and doing it from a really early age Doing it professionally for the last 8 years I’m from Israel, married etc Who else is a builder? This talk is for you!
  • #5 Today I’m working at Soluto, our missing is to help people with their technology My job is DevSecOps, or as I see it - helping the entire team to build a more secure software I’m achieving it via many approaches, including education, reviewing and threat modeling – but what I love the most is threat modeling
  • #6 About me slides
  • #7 What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it?
  • #8 Explain why it is a challenge – you cant expect one person to manage all secrets Why not solved it manually
  • #9 Explain why it is a challenge – you cant expect one person to manage all secrets Why not solved it manually
  • #10 And that’s why we love GitOps: Git is a tool that all devs are familiar with.
  • #12 And we started to look for solutions. It want not an easy path, and today I want to share with you the process we want through. So, let’s start we talking on what we want.
  • #18 Choose one sentence
  • #19 Security is what we all here love
  • #23 Security features like encryption at rest
  • #24 Encoding is not encrypting Adding native approach
  • #27 Add meme
  • #30 Security is what we all here love
  • #45 Security is what we all here love
  • #46 Battle tested
  • #47 Add attributation
  • #48 Add headlines – encryptor & decryptor
  • #53 We really love Kamus, we’re been using it in production for the past 6 months
  • #56 End of journey meme/image
  • #57 Today I discussed 3 different solutions for secret management on Kubenretes. All are good solutions, depend on your requirments.
  • #60 I started the talk by asking “Can Kubernetes keep a secret?” Now you that yes – Kubernetes can. You just need to use the right tool for you’re use case.
  • #61 For us, it was Kamus What Kamus can do for you?