Kubernetes Secrets Management on Production with Demo

Jirayut Nimsaeng (Dear)
CEO & Founder, Opsta (Thailand) Co.,Ltd.
TD Tech - Open House: The Technology Playground @ Sathorn Square
October 29, 2022 https://bit.ly/opsta-tdtech-vault
Secrets Management on
Production

Kubernetes Secrets Management
#whoami
Jirayut has been involved in DevSecOps, Container, Cloud Technology
and Open Source for over 10 years. He has experienced and
succeeded in transforming several companies to deliver greater
values and be more agile.
● He is Founder and CEO of Opsta (Thailand) Co.,Ltd.
● He is Cloud/DevSecOps Transformation Consultant and
Solution Architecture
● He is the first Certified Kubernetes Security Specialist (CKS)
and Certified Kubernetes Administrator (CKA) in Thailand
● He is first Thai Google Cloud Developer Expert (GDE) in
Thailand

Agenda
● Secrets Management in DevSecOps
● HashiCorp Vault
● Kubernetes Secrets
● External Secrets Operator
● Live Demo

Secrets Management in
DevSecOps Flow

What is Secrets?
Secrets authenticate software components like cloud infrastructure,
databases, microservices, third-party APIs, and others – against each other.
● API tokens
● username/password pairs and generic passwords
● database connection URLs
● browser session tokens
services:
mongodb:
image: bitnami/mongodb:5.0.6-debian-10-r46
volumes:
- "./databases:/docker-entrypoint-initdb.d"
environment:
MONGODB_ROOT_PASSWORD: VERYSECUREPASS
MONGODB_EXTRA_USERNAMES
: app
MONGODB_EXTRA_PASSWORDS: SECUREPASS
MONGODB_EXTRA_DATABASES
: app

How leaky was 2021?
https://www.gitguardian.com/ﬁles/the-state-of-secrets-sprawl-report-2022

Where to handle Secrets in DevSecOps?

Developer Environments
Developer

Version Control System
VCS

CI/CD & Artifacts
Artifacts
CI CD

Infrastructure
Infrastructure
DEV
UAT
PRD

Secrets Manager

Secrets Management Tools

What we will focus in this session
How we can handle Secrets with
HashiCorp Vault in Kubernetes

HashiCorp Vault

HashiCorp Vault
HashiCorp Vault is an identity-based secrets and encryption
management system. Vault provides encryption services that are
gated by authentication and authorization methods. Using Vault’s
UI, CLI, or HTTP API, access to secrets and other sensitive data
can be securely stored and managed, tightly controlled
(restricted), and auditable.

HashiCorp Vault Architecture

How Vault works?

Kubernetes Secrets

Kubernetes Secret

How to use Kubernetes Secrets
apiVersion: v1
kind: Secret
metadata:
name: rabbitmq
namespace: default
type: Opaque
data:
RabbitPass: cmFiYml0bXE=
stringData:
RabbitPlain: P@ssw0rd
apiVersion: apps/v1
kind: Pod
metadata:
name: nginx
namespace: default
spec:
containers:
- name: nginx
image: nginx:latest
env:
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
name: rabbitmq
key: RabbitPass
Create Secret Inject Secret into Container
Environment Variable
Read Secret from Code
[NodeJS]
process.env.RABBITMQ_PASSWORD;
[Python]
import os
os.getenv('RABBITMQ_PASSWORD')
[Golang]
package main
import (
"os"
)
os.Getenv("RABBITMQ_PASSWORD")

What we need
● Developer can self-manage secrets in non-production environment
● Admin/Security Team can manage secrets on production environment
● Kubernetes should sync secrets from HashiCorp Vault automatically
● Developer just conﬁg their application to use secret with agreed
variable name
● Developer should not directly access to Kubernetes Secrets

There is Vault Agent Sidecar Injector
https://developer.hashicorp.com/vault/docs/platform/k8s/injector

External Secrets
Operator

External Secrets Operator
External Secrets Operator is a Kubernetes operator that integrates
external secret management systems like AWS Secrets Manager, HashiCorp
Vault, Google Secrets Manager, Azure Key Vault and many more. The
operator reads information from external APIs and automatically injects
the values into a Kubernetes Secret.

Why External Secrets Operator?
● Support many Secrets Manager
● Easy to understand for Developer
● Easy to Maintain
● Secure

External Secrets Operator with Vault

Multi Tenancy with Shared ClusterSecretStore
https://external-secrets.io/v0.6.0/guides/multi-tenancy/

Show me your code!

Vault Production on Kubernetes Checklists
❏ Use Oﬃcial Vault Helm Chart
❏ Don’t run as root
❏ Run with HA mode
❏ Conﬁgure End-to-End TLS
❏ Dedicated worker node if possible
❏ Ensure mlock is Enabled
https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-security-concerns

Kyverno

Kyverno
Kyverno (Greek for “govern”) is a policy engine designed speciﬁcally
for Kubernetes

Sample Kyverno Policy
validationFailureAction: enforce
background: true
rules:
- name: privileged-containers
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Privileged mode is disallowed. The fields
spec.containers[*].securityContext.privileged
and spec.initContainers[*].securityContext.privileged
must be unset or set to `false`.
pattern:
spec:
containers:
- =(securityContext):
=(privileged): "false"
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: unmatched-key
spec:
validationFailureAction: enforce
rules:
- name: check-unmatch-namespace-and-key
match:
resources:
kinds:
- ExternalSecret
validate:
message: "key must prefix with namespace name"
pattern:
spec:
dataFrom:
- extract:
key: "{{request.namespace}}/?*"

Further More
● Reloaded Pod when Secrets changed
https://github.com/stakater/Reloader
● Integrate HashiCorp Vault with Databases
● Dynamic or Rotate Secrets
● How to manage Kubernetes secrets with GitOps?

Contact Us
Facebook:
Email:
Website:
fb.me/DearJirayut
jirayut@opsta.co.th
www.opsta.co.th
Founder & CEO

Kubernetes Secrets Management on Production with Demo

In this document

More Related Content

What's hot

Similar to Kubernetes Secrets Management on Production with Demo

More from Opsta

Recently uploaded

Kubernetes Secrets Management on Production with Demo