SlideShare a Scribd company logo

Is It Safe? Security Hardening for Databases Using Kubernetes Operators

DoKC
DoKC

Is It Safe? Security Hardening for Databases Using Kubernetes Operators - Robert Hodges, Altinity Thanks to the Operator Pattern, Kubernetes is now an outstanding platform to run databases. But to quote Marathon Man, "is it safe?" This talk is a top-level review of the database security problem in Kubernetes, standard ways that operators can mitigate threats, and a wallet-sized checklist of security features you should look for in any operator you use. Our talk is practical and focused on needs of Kubernetes developers. Join us!

Technology
1 of 32
Download to read offline
© 2023 Altinity, Inc. Robert Hodges - Altinity DoK Day North America 2023 1 Is It Safe? Security Hardening for Databases using Kubernetes Operators
© 2023 Altinity, Inc. A brief message from our sponsor… ClickHouse software and services: Altinity.Cloud and Altinity Stable Builds Authors of Altinity Kubernetes Operator for ClickHouse Robert Hodges Database geek with 30+ years on DBMS. Kubernaut since 2018. Day job: Altinity CEO Altinity Engineering Database geeks with centuries of experience in DBMS and applications 2
© 2023 Altinity, Inc. Kubernetes orchestrates container-based applications 3 Kubernetes Resources AWS EBS Storage Process Physical Infrastructure Logical Design Block Storage ClickHouse Server Mapping Mapping Stateful Set Persistent Volume Pod Persistent Volume Claim
© 2023 Altinity, Inc. Kubernetes is a great platform for databases! 4 But every silver lining has a cloud… Database Stateful Set Persistent Volume Pod Persistent Volume Claim
© 2023 Altinity, Inc. Protecting data at the ground level ClickHouse Pod Object Storage EBS Volume Unencrypted data Service Persistent Volume ClickHouse Pod EBS Volume Persistent Volume Client App Backup Backup Exposed public endpoint Unprotected credentials Exposed object storage ConfigMap Unencrypted connection Unsecured logins
© 2023 Altinity, Inc. 6 Yikes! Databases are complicated
© 2023 Altinity, Inc. We can split database protection into three parts 7 Database Stateful Set Persistent Volume Pod Persistent Volume Claim External Data Storage Protect the database Protect Kubernetes Protect external data
© 2023 Altinity, Inc. Operators reduce databases to a single resource 8 Bit o’ Yaml ClickHouse Pod Persistent Volume Kubernetes Operator Custom Resource Definition Aka “CRD” kubectl apply -f db.yaml
© 2023 Altinity, Inc. 9 Custom Resource Definition Operators translate CRDs to a best practice deployment Custom Resource Definition Change Events Tracking Operator Reconciliation Error handling Desired State(s) Desired State(s) Desired State(s) Desired State(s) Adjust Apply
© 2023 Altinity, Inc. That’s a big win for humans when databases get complex 10 Lots o’ Yaml Operator kubectl apply -f db.yaml
© 2023 Altinity, Inc. Good operators come with built-in security features apiVersion: "clickhouse.altinity.com/v1" kind: "ClickHouseInstallation"metadata: name: "prod" spec: configuration: users: default/password_sha256_hex: 716b...e448 clusters: - name: "default" secret: valueFrom: secretKeyRef: name: "secure-inter-cluster-communications" key: "secret" 11 Secure comms with other databases Eliminate empty password for default user ✔ ✔ Restrict default user to localhost and cluster IPs ✔
© 2023 Altinity, Inc. 12 Wait. What about credentials? Operators
© 2023 Altinity, Inc. Credentials are everywhere!! 13 ClickHouse Pod Passwords for database logins ClickHouse Pod Credentials for other databases Event queue credentials Object storage keys
© 2023 Altinity, Inc. Secrets transfer safely credentials to pods 14 Passwords for database logins Credentials for other databases Event queue credentials Object storage keys Secret Secret Secret Secret ClickHouse Pod ClickHouse Pod
© 2023 Altinity, Inc. Most operators understand Kubernetes secrets 15 apiVersion: v1 kind: Secret metadata: name: db-passwords type: Opaque data: root_login: NTgt...
© 2023 Altinity, Inc. The Altinity operator has built-in syntax for passwords apiVersion: "clickhouse.altinity.com/v1" kind: "ClickHouseInstallation"metadata: name: "prod" spec: configuration: users: default/password_sha256_hex: db-passwords/root_login clusters: - name: "default" secret: valueFrom: secretKeyRef: . . . 16 Pod-specific way to set password securely ✔ apiVersion: v1 kind: Secret metadata: name: db-passwords type: Opaque data: root_login: NTgt...
© 2023 Altinity, Inc. Kubernetes also has general ways to apply secret values spec: containers: - name: clickhouse image: altinity/clickhouse-server:23.3.8.22.altinitystable env: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: s3-credentials key: AWS_ACCESS_KEY_ID - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: s3-credentials key: AWS_SECRET_ACCESS_KEY . . . 17 Assign to environmental variable ✔ apiVersion: v1 kind: Secret metadata: name: s3-credentials type: Opaque data: AWS_SECRET_ACCESS_KEY: QUtJ... AWS_ACCESS_KEY_ID: b00r... Simple way to set S3 credentials using secrets
© 2023 Altinity, Inc. 18 Let’s protect connections to the database Secrets Operators
© 2023 Altinity, Inc. TLS encrypts data on connections to/from databases 19 ClickHouse Pod ClickHouse Pod Client App Certificate Private Key Certificate Private Key CA Cert CA Cert Optional
© 2023 Altinity, Inc. Look for ways to configure ports and TLS spec: configuration: clusters: - name: "ch" secure: "yes" secret: auto: "yes" . . . settings: tcp_port: 9000 # keep for localhost tcp_port_secure: 9440 https_port: 8443 files: openssl.xml: | <clickhouse> <openSSL> <server> . . . 20 Use TLS-encrypted ports ✔ Specify ports to use ✔ Supply openSSL settings ✔
© 2023 Altinity, Inc. Make sure you can also manage certificates spec: containers: - name: clickhouse image: altinity/clickhouse-server:23.3.8.22.altinitystable volumeMounts: - name: server-crt-volume mountPath: "/opt/certs/server.crt" subPath: server.crt - name: server-crt-volume mountPath: "/opt/certs/server.key" subPath: server.key . . . volumes: - name: server-crt-volume secret: secretName: server-certs . . . 21 apiVersion: v1 kind: Secret metadata: name: server-certs stringData: server.crt: |- -----BEGIN CERTIFICATE----- ... server.key: |- -----BEGIN PRIVATE KEy----- ... Files mounted automatically ✔
© 2023 Altinity, Inc. 22 Stored data is obviously important Secrets Operators Secrets
© 2023 Altinity, Inc. Side bar: How Kubernetes “makes”storage Stateful Set Persistent Volume Persistent Volume Claim Storage Class EBS Volume EBS Volume EBS Volume Creates PVs in response to claims Allocates storage to match PVs Pod
© 2023 Altinity, Inc. We can make a custom storage class that encrypts data 24 apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: encrypted-gp3 provisioner: ebs.csi.aws.com parameters: type: gp3 fsType: ext4 encrypted: "true" allowVolumeExpansion: true
© 2023 Altinity, Inc. Operators should leverage the power of storage classes volumeClaimTemplates: - name: storage # Do not delete PVC if installation is dropped. reclaimPolicy: Retain spec: storageClassName: encrypted-gp3 accessModes: - ReadWriteOnce resources: requests: storage: 50Gi 25 Picking class encrypts data automatically ✔
© 2023 Altinity, Inc. 26 What about container security and configuration control? Storage Classes Secrets Operators Secrets
© 2023 Altinity, Inc. Look for operators that have good development hygiene 27 Container Registry Docker Image Docker Image Trivy Container scanning from command line Docker Scout Scanning in Docker repo(s) Quick CVE Checking ✔
© 2023 Altinity, Inc. Use GitOps to deploy operators and database resources 28 Kubernetes Kubernetes Manifests Kustomize + Manifests Helm Charts App Resources App Resources App Resources ArgoCD
© 2023 Altinity, Inc. Don’t forget data outside the database… 29 Database Stateful Set Persistent Volume Pod Persistent Volume Claim Backups Object Storage Database logs Table Data Table Data Beware of sensitive messages Access policies Secure storage Encryption
© 2023 Altinity, Inc. Security features to look for in database operators 30 Data At-rest volume encryption File system permissions Secure logs / event data Backup encryption Networking X509 certificate management Application TLS configuration Intra-cluster TLS configuration Disable insecure ports Public Cloud Integration Private network load balancing Encrypted object / block storage Cloud IAM account integration User Management Secure `default` accounts Strong password configuration Use secrets to pass credentials Network access restrictions Kubernetes Minimal ClusterRole privileges Integration with cluster monitoring Software Supply Chain Signed, scanned containers CVE reporting and fixes Dependency management
© 2023 Altinity, Inc. Can’t remember all that? We have you covered! DoKC Operator Security and Hardening Guide A guide to security best practices for database operators https://github.com/dokc/sig-operator Interested in helping? Get involved! Join the #sig-operator channel in DoKC Slack Workspace 31
© 2023 Altinity, Inc. Thank you and good luck! Any questions? Robert Hodges - Altinity CEO ● rhodges at altinity dot com ● LinkedIn ● DoKC Slack Workspace 32

Recommended

Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdfOwn your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Altinity Ltd
 
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdfCloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Altinity Ltd
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes Goat
Muhammad Yuga Nugraha
 
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS SummitRun Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Amazon Web Services
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Malcolm Duncanson, CISSP
 
Using CredHub for Kubernetes Deployments
Using CredHub for Kubernetes DeploymentsUsing CredHub for Kubernetes Deployments
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Altinity Ltd
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
Jose Manuel Ortega Candel
 

Recommended

Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdfOwn your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Altinity Ltd
 
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdfCloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Altinity Ltd
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes Goat
Muhammad Yuga Nugraha
 
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS SummitRun Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Amazon Web Services
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Malcolm Duncanson, CISSP
 
Using CredHub for Kubernetes Deployments
Using CredHub for Kubernetes DeploymentsUsing CredHub for Kubernetes Deployments
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Altinity Ltd
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
Jose Manuel Ortega Candel
 
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB
 
Dok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environmentDok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environment
DoKC
 
Kubernetes on AWS 實作工作坊
Kubernetes on AWS 實作工作坊Kubernetes on AWS 實作工作坊
Kubernetes on AWS 實作工作坊
Amazon Web Services
 
MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
MeetUp: Kerberos - Protocol for Authentication & Authorization @CriteoMeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
Gilles Legoux
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Amazon Web Services
 
Anthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsAnthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applications
Greg Castle
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
Mirantis
 
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to MicroservicesThe ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
Prakarsh -
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
KawimbaLofgrens
 
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Amazon Web Services
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdf
Jesús Ángel Samitier
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
Sanjeev Rampal
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
Mark Argent
 
Webinar: Data Protection for Kubernetes
Webinar: Data Protection for KubernetesWebinar: Data Protection for Kubernetes
Webinar: Data Protection for Kubernetes
MayaData Inc
 
Scaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsScaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOps
Carlos Santana
 
Expert Tips for Successful Kubernetes Deployments on AWS
Expert Tips for Successful Kubernetes Deployments on AWSExpert Tips for Successful Kubernetes Deployments on AWS
Expert Tips for Successful Kubernetes Deployments on AWS
Amazon Web Services
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
Shikha Srivastava
 
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkNative Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Zachary Klein
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech TalksRunning Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
Amazon Web Services
 
Distributed Vector Databases - What, Why, and How
Distributed Vector Databases - What, Why, and HowDistributed Vector Databases - What, Why, and How
Distributed Vector Databases - What, Why, and How
DoKC
 
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster RecoveryStop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
DoKC
 

More Related Content

Similar to Is It Safe? Security Hardening for Databases Using Kubernetes Operators

Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Amazon Web Services
 
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to MicroservicesThe ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
Prakarsh -
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
KawimbaLofgrens
 
Webinar: Data Protection for Kubernetes
Webinar: Data Protection for KubernetesWebinar: Data Protection for Kubernetes
Webinar: Data Protection for Kubernetes
MayaData Inc
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
Shikha Srivastava
 

Similar to Is It Safe? Security Hardening for Databases Using Kubernetes Operators (20)

MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
 
Dok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environmentDok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environment
 
Kubernetes on AWS 實作工作坊
Kubernetes on AWS 實作工作坊Kubernetes on AWS 實作工作坊
Kubernetes on AWS 實作工作坊
 
MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
MeetUp: Kerberos - Protocol for Authentication & Authorization @CriteoMeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
 
Anthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsAnthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applications
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
 
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to MicroservicesThe ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
 
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
Mastering Kubernetes on AWS (CON301-R1) - AWS re:Invent 2018
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdf
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
 
Webinar: Data Protection for Kubernetes
Webinar: Data Protection for KubernetesWebinar: Data Protection for Kubernetes
Webinar: Data Protection for Kubernetes
 
Scaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOpsScaling production grade EKS Multi-Cluster environments using GitOps
Scaling production grade EKS Multi-Cluster environments using GitOps
 
Expert Tips for Successful Kubernetes Deployments on AWS
Expert Tips for Successful Kubernetes Deployments on AWSExpert Tips for Successful Kubernetes Deployments on AWS
Expert Tips for Successful Kubernetes Deployments on AWS
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
 
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkNative Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech TalksRunning Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
 

More from DoKC

Distributed Vector Databases - What, Why, and How
Distributed Vector Databases - What, Why, and HowDistributed Vector Databases - What, Why, and How
Distributed Vector Databases - What, Why, and How
DoKC
 
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster RecoveryStop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
DoKC
 
Transforming Data Processing with Kubernetes: Journey Towards a Self-Serve Da...
Transforming Data Processing with Kubernetes: Journey Towards a Self-Serve Da...Transforming Data Processing with Kubernetes: Journey Towards a Self-Serve Da...
Transforming Data Processing with Kubernetes: Journey Towards a Self-Serve Da...
DoKC
 
The State of Stateful on Kubernetes
The State of Stateful on KubernetesThe State of Stateful on Kubernetes
The State of Stateful on Kubernetes
DoKC
 
Colocating Data Workloads and Web Services on Kubernetes to Improve Resource ...
Colocating Data Workloads and Web Services on Kubernetes to Improve Resource ...Colocating Data Workloads and Web Services on Kubernetes to Improve Resource ...
Colocating Data Workloads and Web Services on Kubernetes to Improve Resource ...
DoKC
 
Make Your Kafka Cluster Production-Ready
Make Your Kafka Cluster Production-ReadyMake Your Kafka Cluster Production-Ready
Make Your Kafka Cluster Production-Ready
DoKC
 
Dynamic Large Scale Spark on Kubernetes: Empowering the Community with Argo W...
Dynamic Large Scale Spark on Kubernetes: Empowering the Community with Argo W...Dynamic Large Scale Spark on Kubernetes: Empowering the Community with Argo W...
Dynamic Large Scale Spark on Kubernetes: Empowering the Community with Argo W...
DoKC
 
Run PostgreSQL in Warp Speed Using NVMe/TCP in the Cloud
Run PostgreSQL in Warp Speed Using NVMe/TCP in the CloudRun PostgreSQL in Warp Speed Using NVMe/TCP in the Cloud
Run PostgreSQL in Warp Speed Using NVMe/TCP in the Cloud
DoKC
 
The Kubernetes Native Database
The Kubernetes Native DatabaseThe Kubernetes Native Database
The Kubernetes Native Database
DoKC
 
ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023
DoKC
 
Implementing data and databases on K8s within the Dutch government
Implementing data and databases on K8s within the Dutch governmentImplementing data and databases on K8s within the Dutch government
Implementing data and databases on K8s within the Dutch government
DoKC
 
Running PostgreSQL in Kubernetes: from day 0 to day 2 with CloudNativePG - Do...
Running PostgreSQL in Kubernetes: from day 0 to day 2 with CloudNativePG - Do...Running PostgreSQL in Kubernetes: from day 0 to day 2 with CloudNativePG - Do...
Running PostgreSQL in Kubernetes: from day 0 to day 2 with CloudNativePG - Do...
DoKC
 
Overcoming challenges with protecting and migrating data in multi-cloud K8s e...
Overcoming challenges with protecting and migrating data in multi-cloud K8s e...Overcoming challenges with protecting and migrating data in multi-cloud K8s e...
Overcoming challenges with protecting and migrating data in multi-cloud K8s e...
DoKC
 
Evaluating Cloud Native Storage Vendors - DoK Talks #147
Evaluating Cloud Native Storage Vendors - DoK Talks #147Evaluating Cloud Native Storage Vendors - DoK Talks #147
Evaluating Cloud Native Storage Vendors - DoK Talks #147
DoKC
 
Kubernetes Cluster Upgrade Strategies and Data: Best Practices for your State...
Kubernetes Cluster Upgrade Strategies and Data: Best Practices for your State...Kubernetes Cluster Upgrade Strategies and Data: Best Practices for your State...
Kubernetes Cluster Upgrade Strategies and Data: Best Practices for your State...
DoKC
 
We will Dok You! - The journey to adopt stateful workloads on k8s
We will Dok You! - The journey to adopt stateful workloads on k8sWe will Dok You! - The journey to adopt stateful workloads on k8s
We will Dok You! - The journey to adopt stateful workloads on k8s
DoKC
 
Mastering MongoDB on Kubernetes, the power of operators
Mastering MongoDB on Kubernetes, the power of operators Mastering MongoDB on Kubernetes, the power of operators
Mastering MongoDB on Kubernetes, the power of operators
DoKC
 
Leveraging Running Stateful Workloads on Kubernetes for the Benefit of Develo...
Leveraging Running Stateful Workloads on Kubernetes for the Benefit of Develo...Leveraging Running Stateful Workloads on Kubernetes for the Benefit of Develo...
Leveraging Running Stateful Workloads on Kubernetes for the Benefit of Develo...
DoKC
 

More from DoKC (20)

Distributed Vector Databases - What, Why, and How
Distributed Vector Databases - What, Why, and HowDistributed Vector Databases - What, Why, and How
Distributed Vector Databases - What, Why, and How
 
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster RecoveryStop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
Stop Worrying and Keep Querying, Using Automated Multi-Region Disaster Recovery
 
Transforming Data Processing with Kubernetes: Journey Towards a Self-Serve Da...
Transforming Data Processing with Kubernetes: Journey Towards a Self-Serve Da...Transforming Data Processing with Kubernetes: Journey Towards a Self-Serve Da...
Transforming Data Processing with Kubernetes: Journey Towards a Self-Serve Da...
 
The State of Stateful on Kubernetes
The State of Stateful on KubernetesThe State of Stateful on Kubernetes
The State of Stateful on Kubernetes
 
Colocating Data Workloads and Web Services on Kubernetes to Improve Resource ...
Colocating Data Workloads and Web Services on Kubernetes to Improve Resource ...Colocating Data Workloads and Web Services on Kubernetes to Improve Resource ...
Colocating Data Workloads and Web Services on Kubernetes to Improve Resource ...
 
Make Your Kafka Cluster Production-Ready
Make Your Kafka Cluster Production-ReadyMake Your Kafka Cluster Production-Ready
Make Your Kafka Cluster Production-Ready
 
Dynamic Large Scale Spark on Kubernetes: Empowering the Community with Argo W...
Dynamic Large Scale Spark on Kubernetes: Empowering the Community with Argo W...Dynamic Large Scale Spark on Kubernetes: Empowering the Community with Argo W...
Dynamic Large Scale Spark on Kubernetes: Empowering the Community with Argo W...
 
Run PostgreSQL in Warp Speed Using NVMe/TCP in the Cloud
Run PostgreSQL in Warp Speed Using NVMe/TCP in the CloudRun PostgreSQL in Warp Speed Using NVMe/TCP in the Cloud
Run PostgreSQL in Warp Speed Using NVMe/TCP in the Cloud
 
The Kubernetes Native Database
The Kubernetes Native DatabaseThe Kubernetes Native Database
The Kubernetes Native Database
 
ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023
 
Implementing data and databases on K8s within the Dutch government
Implementing data and databases on K8s within the Dutch governmentImplementing data and databases on K8s within the Dutch government
Implementing data and databases on K8s within the Dutch government
 
StatefulSets in K8s - DoK Talks #154
StatefulSets in K8s - DoK Talks #154StatefulSets in K8s - DoK Talks #154
StatefulSets in K8s - DoK Talks #154
 
Running PostgreSQL in Kubernetes: from day 0 to day 2 with CloudNativePG - Do...
Running PostgreSQL in Kubernetes: from day 0 to day 2 with CloudNativePG - Do...Running PostgreSQL in Kubernetes: from day 0 to day 2 with CloudNativePG - Do...
Running PostgreSQL in Kubernetes: from day 0 to day 2 with CloudNativePG - Do...
 
Analytics with Apache Superset and ClickHouse - DoK Talks #151
Analytics with Apache Superset and ClickHouse - DoK Talks #151Analytics with Apache Superset and ClickHouse - DoK Talks #151
Analytics with Apache Superset and ClickHouse - DoK Talks #151
 
Overcoming challenges with protecting and migrating data in multi-cloud K8s e...
Overcoming challenges with protecting and migrating data in multi-cloud K8s e...Overcoming challenges with protecting and migrating data in multi-cloud K8s e...
Overcoming challenges with protecting and migrating data in multi-cloud K8s e...
 
Evaluating Cloud Native Storage Vendors - DoK Talks #147
Evaluating Cloud Native Storage Vendors - DoK Talks #147Evaluating Cloud Native Storage Vendors - DoK Talks #147
Evaluating Cloud Native Storage Vendors - DoK Talks #147
 
Kubernetes Cluster Upgrade Strategies and Data: Best Practices for your State...
Kubernetes Cluster Upgrade Strategies and Data: Best Practices for your State...Kubernetes Cluster Upgrade Strategies and Data: Best Practices for your State...
Kubernetes Cluster Upgrade Strategies and Data: Best Practices for your State...
 
We will Dok You! - The journey to adopt stateful workloads on k8s
We will Dok You! - The journey to adopt stateful workloads on k8sWe will Dok You! - The journey to adopt stateful workloads on k8s
We will Dok You! - The journey to adopt stateful workloads on k8s
 
Mastering MongoDB on Kubernetes, the power of operators
Mastering MongoDB on Kubernetes, the power of operators Mastering MongoDB on Kubernetes, the power of operators
Mastering MongoDB on Kubernetes, the power of operators
 
Leveraging Running Stateful Workloads on Kubernetes for the Benefit of Develo...
Leveraging Running Stateful Workloads on Kubernetes for the Benefit of Develo...Leveraging Running Stateful Workloads on Kubernetes for the Benefit of Develo...
Leveraging Running Stateful Workloads on Kubernetes for the Benefit of Develo...
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Is It Safe? Security Hardening for Databases Using Kubernetes Operators

  • 1. © 2023 Altinity, Inc. Robert Hodges - Altinity DoK Day North America 2023 1 Is It Safe? Security Hardening for Databases using Kubernetes Operators
  • 2. © 2023 Altinity, Inc. A brief message from our sponsor… ClickHouse software and services: Altinity.Cloud and Altinity Stable Builds Authors of Altinity Kubernetes Operator for ClickHouse Robert Hodges Database geek with 30+ years on DBMS. Kubernaut since 2018. Day job: Altinity CEO Altinity Engineering Database geeks with centuries of experience in DBMS and applications 2
  • 3. © 2023 Altinity, Inc. Kubernetes orchestrates container-based applications 3 Kubernetes Resources AWS EBS Storage Process Physical Infrastructure Logical Design Block Storage ClickHouse Server Mapping Mapping Stateful Set Persistent Volume Pod Persistent Volume Claim
  • 4. © 2023 Altinity, Inc. Kubernetes is a great platform for databases! 4 But every silver lining has a cloud… Database Stateful Set Persistent Volume Pod Persistent Volume Claim
  • 5. © 2023 Altinity, Inc. Protecting data at the ground level ClickHouse Pod Object Storage EBS Volume Unencrypted data Service Persistent Volume ClickHouse Pod EBS Volume Persistent Volume Client App Backup Backup Exposed public endpoint Unprotected credentials Exposed object storage ConfigMap Unencrypted connection Unsecured logins
  • 6. © 2023 Altinity, Inc. 6 Yikes! Databases are complicated
  • 7. © 2023 Altinity, Inc. We can split database protection into three parts 7 Database Stateful Set Persistent Volume Pod Persistent Volume Claim External Data Storage Protect the database Protect Kubernetes Protect external data
  • 8. © 2023 Altinity, Inc. Operators reduce databases to a single resource 8 Bit o’ Yaml ClickHouse Pod Persistent Volume Kubernetes Operator Custom Resource Definition Aka “CRD” kubectl apply -f db.yaml
  • 9. © 2023 Altinity, Inc. 9 Custom Resource Definition Operators translate CRDs to a best practice deployment Custom Resource Definition Change Events Tracking Operator Reconciliation Error handling Desired State(s) Desired State(s) Desired State(s) Desired State(s) Adjust Apply
  • 10. © 2023 Altinity, Inc. That’s a big win for humans when databases get complex 10 Lots o’ Yaml Operator kubectl apply -f db.yaml
  • 11. © 2023 Altinity, Inc. Good operators come with built-in security features apiVersion: "clickhouse.altinity.com/v1" kind: "ClickHouseInstallation"metadata: name: "prod" spec: configuration: users: default/password_sha256_hex: 716b...e448 clusters: - name: "default" secret: valueFrom: secretKeyRef: name: "secure-inter-cluster-communications" key: "secret" 11 Secure comms with other databases Eliminate empty password for default user ✔ ✔ Restrict default user to localhost and cluster IPs ✔
  • 12. © 2023 Altinity, Inc. 12 Wait. What about credentials? Operators
  • 13. © 2023 Altinity, Inc. Credentials are everywhere!! 13 ClickHouse Pod Passwords for database logins ClickHouse Pod Credentials for other databases Event queue credentials Object storage keys
  • 14. © 2023 Altinity, Inc. Secrets transfer safely credentials to pods 14 Passwords for database logins Credentials for other databases Event queue credentials Object storage keys Secret Secret Secret Secret ClickHouse Pod ClickHouse Pod
  • 15. © 2023 Altinity, Inc. Most operators understand Kubernetes secrets 15 apiVersion: v1 kind: Secret metadata: name: db-passwords type: Opaque data: root_login: NTgt...
  • 16. © 2023 Altinity, Inc. The Altinity operator has built-in syntax for passwords apiVersion: "clickhouse.altinity.com/v1" kind: "ClickHouseInstallation"metadata: name: "prod" spec: configuration: users: default/password_sha256_hex: db-passwords/root_login clusters: - name: "default" secret: valueFrom: secretKeyRef: . . . 16 Pod-specific way to set password securely ✔ apiVersion: v1 kind: Secret metadata: name: db-passwords type: Opaque data: root_login: NTgt...
  • 17. © 2023 Altinity, Inc. Kubernetes also has general ways to apply secret values spec: containers: - name: clickhouse image: altinity/clickhouse-server:23.3.8.22.altinitystable env: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: s3-credentials key: AWS_ACCESS_KEY_ID - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: s3-credentials key: AWS_SECRET_ACCESS_KEY . . . 17 Assign to environmental variable ✔ apiVersion: v1 kind: Secret metadata: name: s3-credentials type: Opaque data: AWS_SECRET_ACCESS_KEY: QUtJ... AWS_ACCESS_KEY_ID: b00r... Simple way to set S3 credentials using secrets
  • 18. © 2023 Altinity, Inc. 18 Let’s protect connections to the database Secrets Operators
  • 19. © 2023 Altinity, Inc. TLS encrypts data on connections to/from databases 19 ClickHouse Pod ClickHouse Pod Client App Certificate Private Key Certificate Private Key CA Cert CA Cert Optional
  • 20. © 2023 Altinity, Inc. Look for ways to configure ports and TLS spec: configuration: clusters: - name: "ch" secure: "yes" secret: auto: "yes" . . . settings: tcp_port: 9000 # keep for localhost tcp_port_secure: 9440 https_port: 8443 files: openssl.xml: | <clickhouse> <openSSL> <server> . . . 20 Use TLS-encrypted ports ✔ Specify ports to use ✔ Supply openSSL settings ✔
  • 21. © 2023 Altinity, Inc. Make sure you can also manage certificates spec: containers: - name: clickhouse image: altinity/clickhouse-server:23.3.8.22.altinitystable volumeMounts: - name: server-crt-volume mountPath: "/opt/certs/server.crt" subPath: server.crt - name: server-crt-volume mountPath: "/opt/certs/server.key" subPath: server.key . . . volumes: - name: server-crt-volume secret: secretName: server-certs . . . 21 apiVersion: v1 kind: Secret metadata: name: server-certs stringData: server.crt: |- -----BEGIN CERTIFICATE----- ... server.key: |- -----BEGIN PRIVATE KEy----- ... Files mounted automatically ✔
  • 22. © 2023 Altinity, Inc. 22 Stored data is obviously important Secrets Operators Secrets
  • 23. © 2023 Altinity, Inc. Side bar: How Kubernetes “makes”storage Stateful Set Persistent Volume Persistent Volume Claim Storage Class EBS Volume EBS Volume EBS Volume Creates PVs in response to claims Allocates storage to match PVs Pod
  • 24. © 2023 Altinity, Inc. We can make a custom storage class that encrypts data 24 apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: encrypted-gp3 provisioner: ebs.csi.aws.com parameters: type: gp3 fsType: ext4 encrypted: "true" allowVolumeExpansion: true
  • 25. © 2023 Altinity, Inc. Operators should leverage the power of storage classes volumeClaimTemplates: - name: storage # Do not delete PVC if installation is dropped. reclaimPolicy: Retain spec: storageClassName: encrypted-gp3 accessModes: - ReadWriteOnce resources: requests: storage: 50Gi 25 Picking class encrypts data automatically ✔
  • 26. © 2023 Altinity, Inc. 26 What about container security and configuration control? Storage Classes Secrets Operators Secrets
  • 27. © 2023 Altinity, Inc. Look for operators that have good development hygiene 27 Container Registry Docker Image Docker Image Trivy Container scanning from command line Docker Scout Scanning in Docker repo(s) Quick CVE Checking ✔
  • 28. © 2023 Altinity, Inc. Use GitOps to deploy operators and database resources 28 Kubernetes Kubernetes Manifests Kustomize + Manifests Helm Charts App Resources App Resources App Resources ArgoCD
  • 29. © 2023 Altinity, Inc. Don’t forget data outside the database… 29 Database Stateful Set Persistent Volume Pod Persistent Volume Claim Backups Object Storage Database logs Table Data Table Data Beware of sensitive messages Access policies Secure storage Encryption
  • 30. © 2023 Altinity, Inc. Security features to look for in database operators 30 Data At-rest volume encryption File system permissions Secure logs / event data Backup encryption Networking X509 certificate management Application TLS configuration Intra-cluster TLS configuration Disable insecure ports Public Cloud Integration Private network load balancing Encrypted object / block storage Cloud IAM account integration User Management Secure `default` accounts Strong password configuration Use secrets to pass credentials Network access restrictions Kubernetes Minimal ClusterRole privileges Integration with cluster monitoring Software Supply Chain Signed, scanned containers CVE reporting and fixes Dependency management
  • 31. © 2023 Altinity, Inc. Can’t remember all that? We have you covered! DoKC Operator Security and Hardening Guide A guide to security best practices for database operators https://github.com/dokc/sig-operator Interested in helping? Get involved! Join the #sig-operator channel in DoKC Slack Workspace 31
  • 32. © 2023 Altinity, Inc. Thank you and good luck! Any questions? Robert Hodges - Altinity CEO ● rhodges at altinity dot com ● LinkedIn ● DoKC Slack Workspace 32