Vault - Enhancement for K8S secret security
•
0 likes•106 views
The document discusses Vault, a tool for securely managing secrets and sensitive data. It provides centralization of secrets, encryption of data at rest, and auditing of access to credentials. Vault controls access to secrets by authenticating users and services against identity sources and enforcing policies. The document provides guidance on using Vault for development, including mounting volumes, using dedicated service accounts, and adding configuration parameters to access the Vault server.
Report
Share
Report
Share
Download to read offline
Recommended
Kubernetes persistence 101
In this meetup, Oleg, CTO at Kublr, walks you through the basics of K8s persistence management functionality and how it can be used to simplify managing persistent applications across different environments - in the cloud or on premise. Oleg will use a demo environment with clusters in different clouds to show K8s persistence in practice.
We will cover:
• Persistent data abstractions in K8s: persistent volumes (PV) and their attributes
• PV specifics in different clouds
• Using PV in K8s: persistent volume claims (PVC) and storage classes (SC)
• Automatic volume provisioning
• Persistence and scheduling interrelationships
• Practical examples
Kubernetes (K8s) is a powerful and flexible open source container orchestration system. The power of K8s comes from its modularity and simplicity of basic concepts. Each of these basic concepts build on the other and, from the most basic elements to more advanced ones, each is responsible for its own well-defined logic and behavior.
Kubernetes debug like a pro
Go fit perfectly inside containers, you can ship apps as tiny images on k8s, distributing them across the globe. Gianluca will show how InfluxData debugs containers running on Kubernetes to allow sysadmins and developers to troubleshoot and replicate issues using core dump, debuggers, and logs.
Go applications are perfect to be run inside a container. You can build a single binary, a tiny Docker image and you can ship them on your Kubernetes cluster. A successful production environment requires stability and simplicity, it needs to be easy to troubleshoot and operators need to be able to get all the information developers will need to fix a bug. During this talk, Gianluca will share what influxData is doing to allow developers and system administrator to work together, understanding problems running live at scale on Kubernetes and how to escalate them down to Software Engineer using logs, delve, gdb, core dumps, and traces to replicate and fix issues.
Kubernetes Ingress 101
This presentation explains the basics of Kubernetes ingress traffic management functionality, and how it can be used to simplify managing applications across different environments - in the cloud or on premise.
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB Ops Manager is an enterprise-grade end-to-end database management, monitoring, and backup solution. Kubernetes has clearly won the orchestration-platform "wars". In this session we'll take a deep dive on how you can leverage both these technologies to host your MongoDB deployments within your Kubernetes infrastructure whether that's OpenShift, PKS, Azure AKS, or just upstream. This talk will review the core technologies, such as containers, Kubernetes, and MongoDB Ops Manager. You'll also have a chance to see real-live demos of MongoDB running on Kubernetes and managed with MongoDB Ops Manager with the MongoDB Enterprise Kubernetes Operator.
Kubernetes stack reliability
Self-healing does not equal self-healing. There are multiple layers
to it, whether a self-healing infrastructure, cluster, pods, or Kubernetes. Kubernetes itself ensures self-healing pods. But how do you ensure your applications, whose reliability depends on every single layer, are truly reliable?
In this presentation we discuss aspects of reliability and self-healing in the different layers of a comprehensive container management stack; what Kubernetes does and doesn't do (at least not by default), and what you should look out for to ensure true reliable applications.
Kubernetes security
This document provides an overview of Kubernetes security concepts including the Kubernetes attack surface, TLS certificates, securing the Kubelet and etcd, authentication, authorization, admission controllers, tooling landscape, pod security policies, network policies, and secrets. It discusses key configuration recommendations and checks for securing different components like disabling privileged mode, setting TLS certificates, CIS benchmarks for etcd, and authentication methods in Kubernetes. The different types of admission controllers and CNCF security tooling are also briefly introduced.
Orchestrating Microservices with Kubernetes
- Kubernetes Concepts
- Hands on: Using kubeadm to stand up a Kubernetes cluster
- Hands on: Using kubectl to make changes to running Kubernetes cluster
Effective Kubernetes - Is Kubernetes the new Linux? Is the new Application Se...
I will tell you two stories about two different implementations of Kubernetes. One from Fashion mobile ecomerce. One from a Fintech. Kubernetes is not a silver bullet. But damn close ;).
Recommended
Kubernetes persistence 101
In this meetup, Oleg, CTO at Kublr, walks you through the basics of K8s persistence management functionality and how it can be used to simplify managing persistent applications across different environments - in the cloud or on premise. Oleg will use a demo environment with clusters in different clouds to show K8s persistence in practice.
We will cover:
• Persistent data abstractions in K8s: persistent volumes (PV) and their attributes
• PV specifics in different clouds
• Using PV in K8s: persistent volume claims (PVC) and storage classes (SC)
• Automatic volume provisioning
• Persistence and scheduling interrelationships
• Practical examples
Kubernetes (K8s) is a powerful and flexible open source container orchestration system. The power of K8s comes from its modularity and simplicity of basic concepts. Each of these basic concepts build on the other and, from the most basic elements to more advanced ones, each is responsible for its own well-defined logic and behavior.
Kubernetes debug like a pro
Go fit perfectly inside containers, you can ship apps as tiny images on k8s, distributing them across the globe. Gianluca will show how InfluxData debugs containers running on Kubernetes to allow sysadmins and developers to troubleshoot and replicate issues using core dump, debuggers, and logs.
Go applications are perfect to be run inside a container. You can build a single binary, a tiny Docker image and you can ship them on your Kubernetes cluster. A successful production environment requires stability and simplicity, it needs to be easy to troubleshoot and operators need to be able to get all the information developers will need to fix a bug. During this talk, Gianluca will share what influxData is doing to allow developers and system administrator to work together, understanding problems running live at scale on Kubernetes and how to escalate them down to Software Engineer using logs, delve, gdb, core dumps, and traces to replicate and fix issues.
Kubernetes Ingress 101
This presentation explains the basics of Kubernetes ingress traffic management functionality, and how it can be used to simplify managing applications across different environments - in the cloud or on premise.
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB Ops Manager is an enterprise-grade end-to-end database management, monitoring, and backup solution. Kubernetes has clearly won the orchestration-platform "wars". In this session we'll take a deep dive on how you can leverage both these technologies to host your MongoDB deployments within your Kubernetes infrastructure whether that's OpenShift, PKS, Azure AKS, or just upstream. This talk will review the core technologies, such as containers, Kubernetes, and MongoDB Ops Manager. You'll also have a chance to see real-live demos of MongoDB running on Kubernetes and managed with MongoDB Ops Manager with the MongoDB Enterprise Kubernetes Operator.
Kubernetes stack reliability
Self-healing does not equal self-healing. There are multiple layers
to it, whether a self-healing infrastructure, cluster, pods, or Kubernetes. Kubernetes itself ensures self-healing pods. But how do you ensure your applications, whose reliability depends on every single layer, are truly reliable?
In this presentation we discuss aspects of reliability and self-healing in the different layers of a comprehensive container management stack; what Kubernetes does and doesn't do (at least not by default), and what you should look out for to ensure true reliable applications.
Kubernetes security
This document provides an overview of Kubernetes security concepts including the Kubernetes attack surface, TLS certificates, securing the Kubelet and etcd, authentication, authorization, admission controllers, tooling landscape, pod security policies, network policies, and secrets. It discusses key configuration recommendations and checks for securing different components like disabling privileged mode, setting TLS certificates, CIS benchmarks for etcd, and authentication methods in Kubernetes. The different types of admission controllers and CNCF security tooling are also briefly introduced.
Orchestrating Microservices with Kubernetes
- Kubernetes Concepts
- Hands on: Using kubeadm to stand up a Kubernetes cluster
- Hands on: Using kubectl to make changes to running Kubernetes cluster
Effective Kubernetes - Is Kubernetes the new Linux? Is the new Application Se...
I will tell you two stories about two different implementations of Kubernetes. One from Fashion mobile ecomerce. One from a Fintech. Kubernetes is not a silver bullet. But damn close ;).
Building Portable Applications with Kubernetes
Containers and Kubernetes enable code portability across on-premise VMs, bare metal, or multiple clouds. However, many developers may include configuration and application definitions that constrain or even eliminate application portability.
We'll outline best practices for “configuration as code” in a Kubernetes environment. He'll demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure using the Kublr platform, and how Kubernetes objects, such as persistent volumes, ingress rules, and services, can be leveraged to abstract from the infrastructure.
Lifecycle of a pod
Pods are the smallest deployable units in Kubernetes. A Pod contains one or more containers that share resources and can communicate through localhost. The lifecycle of a Pod includes phases like Pending, Running, Succeeded, Failed, and Unknown. Probes like liveness and readiness probes are used to check the health of containers. Init containers allow running pre-startup actions before app containers are started.
Kubernetes basics and hands on exercise
This document provides an overview of Kubernetes concepts including architecture, fundamental objects like pods and services, and demonstrations. It begins with an agenda then covers Kubernetes architecture including the master node, worker nodes, and control loop. It describes core objects like pods, replica sets, deployments, services, and labels/selectors. The document demonstrates deploying and accessing the guestbook application using these objects. It concludes with asking for questions and describing goals for educational meetups on cloud native technologies.
Social Connections 14 - Kubernetes Basics for Connections Admins
The product formerly known as IBM Connections pink is deployed on Kubernetes and some other Open Source Tools. Learn the basics of Kubernetes in this session. Deploying additional pods, getting some statistics or find deeper information of the installed stuff to find log files and so on.
Running I/O intensive workloads on Kubernetes, by Nati Shalom
Kubernetes was originally targeted for running large scale web applications.
I/O intensive workload represents a class of high-end applications such as network services, trading applications, database services that require high-speed access to hardware resources and often users specific hardware or CPU features to maximize their performance.
Secure your K8s cluster from multi-layers
The document discusses securing a Kubernetes cluster from multiple layers of risk. It covers securing the infrastructure layer by limiting access and exposure, the control plane layer by enabling TLS and RBAC, the workload layer using pod security policies and network policies, the container runtime layer with tools like Kata Containers, the user misconfiguration layer by avoiding defaults and validating configurations, and useful security tools. The presenter then provides contact information for potential job opportunities.
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
Presented by: Jason Mimick
Technical Director, MongoDB
MongoDB Ops Manager is an enterprise-grade end-to-end database management, monitoring, and backup solution. Kubernetes has clearly won the orchestration-platform "wars". In this session we'll take a deep dive on how you can leverage both these technologies to host your MongoDB deployments within your Kubernetes infrastructure whether that's OpenShift, PKS, Azure AKS, or just upstream. This talk will review the core technologies, such as containers, Kubernetes, and MongoDB Ops Manager. You'll also have a chance to see real-live demos of MongoDB running on Kubernetes and managed with MongoDB Ops Manager with the MongoDB Enterprise Kubernetes Operator.
K8s security best practices
This document summarizes best practices for Kubernetes security. It covers infrastructure protection, Kubernetes internal security, authentication and authorization options, network security, secrets management, container runtime security, and other security tools. Specific recommendations include limiting SSH access, encrypting storage, using minimal base images, RBAC for authorization, network policies, secrets encryption, security contexts, and image scanning.
Scaling Microservices with Kubernetes
This document provides an overview of using Kubernetes to scale microservices. It discusses the challenges of scaling, monitoring, and discovery for microservices. Kubernetes provides a solution to these challenges through its automation of deployment, scaling, and management of containerized applications. The document then describes Kubernetes architecture and components like the master, nodes, pods, services, deployments and secrets which allow Kubernetes to provide portability, self-healing and a declarative way to manage the desired state of applications.
AWS Summit Singapore 2019 | Autoscaling Your Kubernetes Workloads
This document discusses autoscaling Kubernetes workloads using the Horizontal Pod Autoscaler (HPA). It provides a history of the HPA's development, how to choose an autoscaling metric, and implement autoscaling using a custom metric from Datadog. The document demonstrates setting up a Datadog cluster agent, registering it as an external metrics provider, and creating an HPA that scales a deployment based on a Datadog metric.
Scale Kubernetes to support 50000 services
Kubernetes currently has two load balancing mode: userspace and IPTables. They both have limitation on scalability and performance. We introduced IPVS as third kube-proxy mode which scales kubernetes load balancer to support 50,000 services. Beyond that, control plane needs to be optimized in order to deploy 50,000 services. We will introduce alternative solutions and our prototypes with detailed performance data.
Deep dive into Kubernetes Networking
The document provides an overview of Kubernetes networking concepts including single pod networking, pod to pod communication, service discovery and load balancing, external access patterns, network policies, Istio service mesh, multi-cluster networking, and best practices. It covers topics such as pod IP addressing, communication approaches like L2, L3, overlays, services, ingress controllers, network policies, multi-cluster use cases and deployment options.
Kubernetes & the 12 factor cloud apps
The document discusses the 12 factors approach to building cloud-native applications and how they relate to Kubernetes. It covers each of the 12 factors, providing examples of how they can be implemented using Kubernetes concepts like deployments, services, secrets and configmaps. The key takeaways are to decouple infrastructure complexity from applications, prefer managed services for persistence, keep environments similar, design stateless applications that can scale, and implement proper logging and monitoring.
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling LinuxCon ContainerCon CloudOpen China
In the container ecosystem, there is perhaps no technology that has received more focus and attention than orchestration and scheduling. Mesos, Kubernetes, and Swarm have established themselves as the leading technology choices in this space.
In this talk, Sheng will discuss what he learned from working directly with hundreds of users who have deployed one of these frameworks. He will look at how these frameworks will continue to evolve and if there’re any gaps and opportunities in container orchestration and scheduling. Sheng will make a case that there are still room for innovation and new orchestration and scheduling frameworks will be created in the future. He will discuss what new frameworks might look like--the features, functionalities, and attributes that differentiate them from the mainstream frameworks today. Openstack days sv building highly available services using kubernetes (preso)
This document discusses Google Cloud Platform's Kubernetes and how it can be used to build highly available services. It provides an overview of Kubernetes concepts like pods, labels, replica sets, volumes, and services. It then describes how Kubernetes Cluster Federation allows deploying applications across multiple Kubernetes clusters for high availability, geographic scaling, and other benefits. It outlines how to create clusters, configure the federated control plane, add clusters to the federation, deploy federated services and backends, and perform cross-cluster service discovery.
Kubernetes and Istio
Istio Introduction
Setup
Shopping Portal Microservice Deployment
Canary Deployment
Routing Rules based on User Agent and Weight
Distributed Tracing
Visualizing Metrics
Lessons learned with kubernetes in production
at PlayPass
Lessons learned with kubernetes in production
at PlayPass, presented at the 6th Docker Birthday Meetup in Antwerpen. What went well and what are some open issues. Also, we discussed some security measures after the presentations.
K8s Pod Scheduling - Deep Dive. By Tsahi Duek.
Ever wondered how the K8s scheduler works, and how can you “help” it make the right decision for your application? In this session, we'll cover several different scheduling use-cases in K8s, what scheduling techniques are required in each and when to use them.
Ingress overview
This document provides an overview of Ingress in Kubernetes, including:
1) It describes the different types of Kubernetes services - ClusterIP, NodePort, LoadBalancer, ExternalName, and Headless - and examples of using each type.
2) It explains that Ingress resources define routing rules to services, and Ingress controllers watch for Ingress resources and update rules to satisfy conditions.
3) Ingress allows for name-based and path-based routing to services, and controllers provide a default backend for requests not handled by Ingress rules.
Implement Advanced Scheduling Techniques in Kubernetes
Is advanced scheduling in Kubernetes achievable? Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations?
Oleg Chunikhin addressed those questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and cost-effective resources on AWS, coupled with the ability to deliver a minimum set of functionalities that cover the majority of needs – without configuration complexity. You’ll get a run-down of the pitfalls and things to keep in mind for this route.
Secret Management with Hashicorp Vault and Consul on Kubernetes
The document discusses secret management with Hashicorp Vault and Consul on Kubernetes. It begins with an overview of secret management and why it is important. It then discusses traditional insecure approaches to secret management versus modern secure approaches. Hashicorp Vault is introduced as a tool for modern secret management that provides encrypted secret storage, access control, auditing and more. Features of Vault like leasing, dynamic credentials, authentication methods and enterprise features are covered. The document concludes with demos of using Vault with legacy and new applications on Kubernetes.
Managing your secrets in a cloud environment
Managing your secrets in a cloud environment using Azure Key Vault and HashiCorp Vault. Presentation at Update Conference Prague 2018.
More Related Content
What's hot
Building Portable Applications with Kubernetes
Containers and Kubernetes enable code portability across on-premise VMs, bare metal, or multiple clouds. However, many developers may include configuration and application definitions that constrain or even eliminate application portability.
We'll outline best practices for “configuration as code” in a Kubernetes environment. He'll demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure using the Kublr platform, and how Kubernetes objects, such as persistent volumes, ingress rules, and services, can be leveraged to abstract from the infrastructure.
Lifecycle of a pod
Pods are the smallest deployable units in Kubernetes. A Pod contains one or more containers that share resources and can communicate through localhost. The lifecycle of a Pod includes phases like Pending, Running, Succeeded, Failed, and Unknown. Probes like liveness and readiness probes are used to check the health of containers. Init containers allow running pre-startup actions before app containers are started.
Kubernetes basics and hands on exercise
This document provides an overview of Kubernetes concepts including architecture, fundamental objects like pods and services, and demonstrations. It begins with an agenda then covers Kubernetes architecture including the master node, worker nodes, and control loop. It describes core objects like pods, replica sets, deployments, services, and labels/selectors. The document demonstrates deploying and accessing the guestbook application using these objects. It concludes with asking for questions and describing goals for educational meetups on cloud native technologies.
Social Connections 14 - Kubernetes Basics for Connections Admins
The product formerly known as IBM Connections pink is deployed on Kubernetes and some other Open Source Tools. Learn the basics of Kubernetes in this session. Deploying additional pods, getting some statistics or find deeper information of the installed stuff to find log files and so on.
Running I/O intensive workloads on Kubernetes, by Nati Shalom
Kubernetes was originally targeted for running large scale web applications.
I/O intensive workload represents a class of high-end applications such as network services, trading applications, database services that require high-speed access to hardware resources and often users specific hardware or CPU features to maximize their performance.
Secure your K8s cluster from multi-layers
The document discusses securing a Kubernetes cluster from multiple layers of risk. It covers securing the infrastructure layer by limiting access and exposure, the control plane layer by enabling TLS and RBAC, the workload layer using pod security policies and network policies, the container runtime layer with tools like Kata Containers, the user misconfiguration layer by avoiding defaults and validating configurations, and useful security tools. The presenter then provides contact information for potential job opportunities.
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
Presented by: Jason Mimick
Technical Director, MongoDB
MongoDB Ops Manager is an enterprise-grade end-to-end database management, monitoring, and backup solution. Kubernetes has clearly won the orchestration-platform "wars". In this session we'll take a deep dive on how you can leverage both these technologies to host your MongoDB deployments within your Kubernetes infrastructure whether that's OpenShift, PKS, Azure AKS, or just upstream. This talk will review the core technologies, such as containers, Kubernetes, and MongoDB Ops Manager. You'll also have a chance to see real-live demos of MongoDB running on Kubernetes and managed with MongoDB Ops Manager with the MongoDB Enterprise Kubernetes Operator.
K8s security best practices
This document summarizes best practices for Kubernetes security. It covers infrastructure protection, Kubernetes internal security, authentication and authorization options, network security, secrets management, container runtime security, and other security tools. Specific recommendations include limiting SSH access, encrypting storage, using minimal base images, RBAC for authorization, network policies, secrets encryption, security contexts, and image scanning.
Scaling Microservices with Kubernetes
This document provides an overview of using Kubernetes to scale microservices. It discusses the challenges of scaling, monitoring, and discovery for microservices. Kubernetes provides a solution to these challenges through its automation of deployment, scaling, and management of containerized applications. The document then describes Kubernetes architecture and components like the master, nodes, pods, services, deployments and secrets which allow Kubernetes to provide portability, self-healing and a declarative way to manage the desired state of applications.
AWS Summit Singapore 2019 | Autoscaling Your Kubernetes Workloads
This document discusses autoscaling Kubernetes workloads using the Horizontal Pod Autoscaler (HPA). It provides a history of the HPA's development, how to choose an autoscaling metric, and implement autoscaling using a custom metric from Datadog. The document demonstrates setting up a Datadog cluster agent, registering it as an external metrics provider, and creating an HPA that scales a deployment based on a Datadog metric.
Scale Kubernetes to support 50000 services
Kubernetes currently has two load balancing mode: userspace and IPTables. They both have limitation on scalability and performance. We introduced IPVS as third kube-proxy mode which scales kubernetes load balancer to support 50,000 services. Beyond that, control plane needs to be optimized in order to deploy 50,000 services. We will introduce alternative solutions and our prototypes with detailed performance data.
Deep dive into Kubernetes Networking
The document provides an overview of Kubernetes networking concepts including single pod networking, pod to pod communication, service discovery and load balancing, external access patterns, network policies, Istio service mesh, multi-cluster networking, and best practices. It covers topics such as pod IP addressing, communication approaches like L2, L3, overlays, services, ingress controllers, network policies, multi-cluster use cases and deployment options.
Kubernetes & the 12 factor cloud apps
The document discusses the 12 factors approach to building cloud-native applications and how they relate to Kubernetes. It covers each of the 12 factors, providing examples of how they can be implemented using Kubernetes concepts like deployments, services, secrets and configmaps. The key takeaways are to decouple infrastructure complexity from applications, prefer managed services for persistence, keep environments similar, design stateless applications that can scale, and implement proper logging and monitoring.
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling LinuxCon ContainerCon CloudOpen China
In the container ecosystem, there is perhaps no technology that has received more focus and attention than orchestration and scheduling. Mesos, Kubernetes, and Swarm have established themselves as the leading technology choices in this space.
In this talk, Sheng will discuss what he learned from working directly with hundreds of users who have deployed one of these frameworks. He will look at how these frameworks will continue to evolve and if there’re any gaps and opportunities in container orchestration and scheduling. Sheng will make a case that there are still room for innovation and new orchestration and scheduling frameworks will be created in the future. He will discuss what new frameworks might look like--the features, functionalities, and attributes that differentiate them from the mainstream frameworks today. Openstack days sv building highly available services using kubernetes (preso)
This document discusses Google Cloud Platform's Kubernetes and how it can be used to build highly available services. It provides an overview of Kubernetes concepts like pods, labels, replica sets, volumes, and services. It then describes how Kubernetes Cluster Federation allows deploying applications across multiple Kubernetes clusters for high availability, geographic scaling, and other benefits. It outlines how to create clusters, configure the federated control plane, add clusters to the federation, deploy federated services and backends, and perform cross-cluster service discovery.
Kubernetes and Istio
Istio Introduction
Setup
Shopping Portal Microservice Deployment
Canary Deployment
Routing Rules based on User Agent and Weight
Distributed Tracing
Visualizing Metrics
Lessons learned with kubernetes in production
at PlayPass
Lessons learned with kubernetes in production
at PlayPass, presented at the 6th Docker Birthday Meetup in Antwerpen. What went well and what are some open issues. Also, we discussed some security measures after the presentations.
K8s Pod Scheduling - Deep Dive. By Tsahi Duek.
Ever wondered how the K8s scheduler works, and how can you “help” it make the right decision for your application? In this session, we'll cover several different scheduling use-cases in K8s, what scheduling techniques are required in each and when to use them.
Ingress overview
This document provides an overview of Ingress in Kubernetes, including:
1) It describes the different types of Kubernetes services - ClusterIP, NodePort, LoadBalancer, ExternalName, and Headless - and examples of using each type.
2) It explains that Ingress resources define routing rules to services, and Ingress controllers watch for Ingress resources and update rules to satisfy conditions.
3) Ingress allows for name-based and path-based routing to services, and controllers provide a default backend for requests not handled by Ingress rules.
Implement Advanced Scheduling Techniques in Kubernetes
Is advanced scheduling in Kubernetes achievable? Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations?
Oleg Chunikhin addressed those questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and cost-effective resources on AWS, coupled with the ability to deliver a minimum set of functionalities that cover the majority of needs – without configuration complexity. You’ll get a run-down of the pitfalls and things to keep in mind for this route.
What's hot (20)
Social Connections 14 - Kubernetes Basics for Connections Admins
Social Connections 14 - Kubernetes Basics for Connections Admins
Running I/O intensive workloads on Kubernetes, by Nati Shalom
Running I/O intensive workloads on Kubernetes, by Nati Shalom
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
AWS Summit Singapore 2019 | Autoscaling Your Kubernetes Workloads
AWS Summit Singapore 2019 | Autoscaling Your Kubernetes Workloads
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
Lessons learned with kubernetes in production
at PlayPass
Lessons learned with kubernetes in production
at PlayPass
Implement Advanced Scheduling Techniques in Kubernetes
Implement Advanced Scheduling Techniques in Kubernetes
Similar to Vault - Enhancement for K8S secret security
Secret Management with Hashicorp Vault and Consul on Kubernetes
The document discusses secret management with Hashicorp Vault and Consul on Kubernetes. It begins with an overview of secret management and why it is important. It then discusses traditional insecure approaches to secret management versus modern secure approaches. Hashicorp Vault is introduced as a tool for modern secret management that provides encrypted secret storage, access control, auditing and more. Features of Vault like leasing, dynamic credentials, authentication methods and enterprise features are covered. The document concludes with demos of using Vault with legacy and new applications on Kubernetes.
Managing your secrets in a cloud environment
Managing your secrets in a cloud environment using Azure Key Vault and HashiCorp Vault. Presentation at Update Conference Prague 2018.
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
It is not a secret that it is hard to manage sensitive information. Azure Key Vault allows you to securely store this kind of information ranging from secrets & certificates to cryptographic keys.
Great! But how do you use it? How do I authenticate with it and how do I build robust applications with it?
Come join me and I'll walk you through the challenges and give you some recommendations.
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Building secure cloud applications with Azure Key Vault.
https://github.com/tomkerkhove/demos-azure-key-vault
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secret-based protocols are the most popular methods for establishing trust in authentication. Unfortunately, they are also one of the first attack surfaces to be probed when system compromise is attempted. Today’s digital services often focus on scalability, high-availability, and fault tolerance, leading to a shift towards microservices on cluster-based architectures. Secret management has evolved as well, leading to the development of cluster-compatible, open-source SM tools such as HashiCorp’s Vault. This talk is designed to help SecOps professionals leverage security concepts such as spatial and temporal attack surfaces, trust, and risk acceptance to secure their cluster credential management.
Vault Digital Transformation
This document provides an overview of Hashicorp Vault and how it can be used for securing secrets and sensitive data in modern, dynamic cloud environments. It discusses the challenges of digital transformation and how Vault addresses them through secret management workflows. The basic Vault workflow is described along with examples for Kubernetes and legacy applications. Finally, Vault Enterprise features for replication, access control, multi-factor authentication and compliance are covered.
Attacking and Defending Kubernetes - Nithin Jois
This document provides an overview of attacking and defending Kubernetes clusters. It begins with introductions to containers, container orchestration with Kubernetes, and Kubernetes architecture and components. It then discusses the Kubernetes threat model and common attack vectors such as compromising nodes, pods, and secrets. The document outlines Kubernetes authentication and authorization methods like RBAC and discusses admission controllers. It covers securing Kubernetes with practices like pod security policies and network policies. Finally, it notes some limitations and gotchas regarding secrets management in Kubernetes.
Overview of secret management solutions and architecture
The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points:
- Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets.
- An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools.
- Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions.
- AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Since companies are moving their data to the cloud, security has become a hot topic. How do we securely store sensitive data? Where do we store our encryption keys? These are just 2 of the many questions that are concerning the modern companies. In this presentation, Tom Kerkhove will introduce you to the concepts of Microsoft Azure Key Vault.
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Security has become more and more important as we move to the cloud and countries & companies are being hacked – remember the Sony hack? But how do we securely store sensitive data such as connection strings to our databases? Where do we store our encryption keys? Can I share them with my customers? How do I prevent abuse of my secrets and block them from doing so?
That’s what this session is all about – I will introduce you to the concepts of Microsoft Azure Key Vault where you can use this as it allows you to securely store keys, credentials and other secrets in the cloud. We will also have a look at how it enables us to store encryption keys for SQL Server TDE and how it can help you safeguard your cloud solutions even more.
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
MySQL Security on AWS Rds
This document summarizes a webinar about MySQL security on AWS RDS given by Praveen GR and Madhavan GS from Mydbops. The webinar covered topics like network security using VPC, identity and access management using IAM users, enabling audit logs to CloudWatch, encryption using AWS KMS and S3 encryption, and using secrets from Secret Manager. Mydbops is an AWS partner that provides consulting, managed, and support services for open source databases like MySQL, MongoDB, and PostgreSQL.
Vault
Presentation done at the November meeting of the Sudoers Barcelona group (https://www.meetup.com/sudoersbcn/).
HashiCorp Vault (https://www.vaultproject.io/)
"Vault és una eina per emmagatzemar i gestionar secrets. Veurem què ofereix, com instal·lar-la, utilitzar-la i operar-la, i la nostra experiència."
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
It is not a secret that it is hard to manage sensitive information. Azure Key Vault allows you to securely store this kind of information ranging from secrets & certificates to cryptographic keys.
Great! But how do you use it? How do I authenticate with it and how do I build robust applications with it?
Come join me and I'll walk you through the challenges and give you some recommendations.
Using MCollective with Chef - cfgmgmtcamp.eu 2014
It's time to move beyond SSH for infrastructure management.
MCollective is an awesome orchestration framework.
Chef is an awesome configuration management tool.
Contrary to popular belief, they work great together.
Speaker notes available here: https://dl.dropboxusercontent.com/u/369373/cfgmgmtcamp.eu%202014%20-%20Chef%20%26%20MCollective.pdf
Deep Dive: AWS CloudHSM (Classic)
This document provides an overview of Amazon Web Services' (AWS) CloudHSM service. It discusses how CloudHSM is tamper-proof and tamper-evident, can be used as a keystore or for document timestamping, and needs to be backed up. It also summarizes how CloudHSM can be integrated with other AWS services like S3, EBS, EC2, Redshift, and RDS. Finally, it briefly discusses auditing capabilities and some common use cases for CloudHSM.
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with PrometheusOpenStack Korea Community
This document discusses using Prometheus for open infrastructure and cloud monitoring. It introduces Prometheus as a time series database and monitoring tool. Key features covered include metrics collection, service discovery, graphing, and alerting. The architecture of Prometheus is explained, including scrapping metrics directly or via exporters. A demo of Prometheus and Grafana is proposed to monitor Kubernetes clusters and visualize CPU usage. Alerting configuration and routes in Prometheus and Alertmanager are also summarized.Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Talk is hosted via https://www.jonthebeach.com/schedule/1683849600#85
How to efficiently build and manage hundreds of Kubernetes Clusters that serve modern online analytics databases, for different customers? To add to the challenge, what if customers need to run their own clusters inside their own private clouds? We are sharing our system design that solves it.
How to provide fully managed online analytics databases like Pinot to hundreds of customers, while those Pinot clusters are running in each customer’s own private virtual cloud? The answer is by combining the power of Kubernetes with our automated scalable architecture that can fully manage a fleet of Kubernetes clusters.
When companies consider using SaaS (Software as a Service) products, they are often held back by challenges like security considerations and storage compliance regulations. Those concerns often require that the data stays within the same virtual cloud owned by the company. And it makes managed solutions very hard for companies to implement.
In StarTree we have built a modern data infrastructure based on Kubernetes so companies can keep their data inside their own infrastructure, and at the same time get the benefits of using a fully managed Apache Pinot cluster deployed in the customer’s cloud environment.
We have designed a scalable system based on Kubernetes that enables remote creation, maintenance, and monitoring of hundreds of Kubernetes clusters from different companies. This enabled us to scale quickly from a handful of deployments to over 100+ Pinot clusters in a short time span with just 10+ engineers.
Security Considerations for Microservices and Multi cloud
These slides contains my notes on what are the security consideration w.r.t Micro services and Multi Cloud. I am still working on this part. It is just a comprehension of whatever I have studied so far.
Secret Management Architectures
The document discusses recommendations for improving security when secrets are stored in plain text. It provides an overview of different tools that can be used to encrypt and manage secrets, including Git-crypt, KeyBase, AWS KMS, Azure Key Management, and HashiCorp Vault. The document compares different approaches to securing secrets from limited access in plain text to limited access with encryption and encryption with centralized management. It also outlines some common questions around rotating, auditing, and accessing secrets securely across different environments.
Similar to Vault - Enhancement for K8S secret security (20)
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Overview of secret management solutions and architecture
Overview of secret management solutions and architecture
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
More from Huynh Thai Bao
Service Mesh 101 - Digging into your service
1. Meshing with Microservices - Facing problems
2. ServiceMesh – What’s inside ?
3. ServiceMesh – Healing the pains
• Advanced traffic management
• Security
• Service Observability
• Multi-cluster as-a-single-mesh
4. Demo
K8s Webhook Admission
This document discusses Kubernetes webhook admission. It provides an overview of webhook admission 101, the webhook admission callback process, and how to apply dynamic webhook admission using the webhook configuration API object. Some key points:
- Webhook admission allows intercepting admission requests to mutate and/or validate them using HTTP callbacks to external servers
- The admission webhook controller handles sending admission requests to the configured webhook servers and processing the responses
- The webhook admission callback details the request and response format, which includes the admission review object
- The webhook configuration API object is used to apply dynamic admission webhooks by defining the webhook endpoints and matching rules for which requests should be intercepted
CICD pipelines with GitOps
The document discusses CICD pipelines using GitOps architecture. It describes how GitOps allows for automated deployment to all environments from a single codebase, enhanced auditing of deployments by tracking changes in Git, and improved observability through monitoring for divergences between desired and actual infrastructure states. The architecture uses Git as the single source of truth for infrastructure configuration and deployment. Continuous integration pipelines build and push container images, while continuous delivery pipelines deploy configuration changes to Kubernetes clusters using a GitOps operator.
ELK - Optimizations & Updates
This document discusses optimizations and updates to ELK logging in 2021. It covers the importance of logging, motivations for changes to improve logging, benefits to developers, and an overview of the multi-cluster logging architecture. Key points include faster log searches by indexing logs from different environments separately, automatic log shipping setup, cleaner log formats, and enabling log correlation and conversion to metrics. The logging flow involves Filebeat selecting logs and metadata, Logstash parsing and aggregating logs, Elasticsearch storing logs in indices, and Kibana for visualization and analysis.
K8s-zero-downtime-the-missing-part
Agenda:
1. Deployment & Replicas: are we really safe ?
2. Understand Pod Eviction Lifecycle
3. Avoid Outages
4. Beyond the Outages
Cassandra - decentralized structured database
1. Database architecture evolution
2. Cassandra: Architecture at glance
3. Data Distribution & Data consistency
4. Writing Data
5. Reading Data
Skaffold - faster development on K8S
Agenda
1. GitOps recall
2. GitOps challenges
3. Skaffold: healing the pains
4. Demo & Usage
5. Integration with current CICD
Kubernetes - A Rising Hero
Kubernetes - A Rising Hero:
+ K8s cluster Architecture
+ K8s resources introduction & usage
+ An basic implementation of webserver on K8S
Enabling GitOps - Architecture for Implementation
Enabling GitOps - Architecture for Implementation:
+ Overview architecture & components
+ How to integrate it into SDLC with CICD
GCP Best Practices for SRE Team
GCP Best Practices for SRE Team:
+ Organization setup
+ Provision
+ Billing
+ Networking
+ Service Observability / Monitoring
+ GKE operation
More from Huynh Thai Bao (10)
Recently uploaded
Computational Engineering IITH Presentation
This Presentation will give you a brief idea about what Computational Engineering at IIT Hyderabad has to offer.
The Python for beginners. This is an advance computer language.
Python language is very important language at this time. we can easily understand this language by these notes.
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Medical image analysis has witnessed significant advancements with deep learning techniques. In the domain of brain tumor segmentation, the ability to
precisely delineate tumor boundaries from magnetic resonance imaging (MRI)
scans holds profound implications for diagnosis. This study presents an ensemble convolutional neural network (CNN) with transfer learning, integrating
the state-of-the-art Deeplabv3+ architecture with the ResNet18 backbone. The
model is rigorously trained and evaluated, exhibiting remarkable performance
metrics, including an impressive global accuracy of 99.286%, a high-class accuracy of 82.191%, a mean intersection over union (IoU) of 79.900%, a weighted
IoU of 98.620%, and a Boundary F1 (BF) score of 83.303%. Notably, a detailed comparative analysis with existing methods showcases the superiority of
our proposed model. These findings underscore the model’s competence in precise brain tumor localization, underscoring its potential to revolutionize medical
image analysis and enhance healthcare outcomes. This research paves the way
for future exploration and optimization of advanced CNN models in medical
imaging, emphasizing addressing false positives and resource efficiency.
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning and Applications (NLAIM 2024) offers a premier global platform for exchanging insights and findings in the theory, methodology, and applications of NLP, Artificial Intelligence, Machine Learning, and their applications. The conference seeks substantial contributions across all key domains of NLP, Artificial Intelligence, Machine Learning, and their practical applications, aiming to foster both theoretical advancements and real-world implementations. With a focus on facilitating collaboration between researchers and practitioners from academia and industry, the conference serves as a nexus for sharing the latest developments in the field.
Advanced control scheme of doubly fed induction generator for wind turbine us...
This paper describes a speed control device for generating electrical energy on an electricity network based on the doubly fed induction generator (DFIG) used for wind power conversion systems. At first, a double-fed induction generator model was constructed. A control law is formulated to govern the flow of energy between the stator of a DFIG and the energy network using three types of controllers: proportional integral (PI), sliding mode controller (SMC) and second order sliding mode controller (SOSMC). Their different results in terms of power reference tracking, reaction to unexpected speed fluctuations, sensitivity to perturbations, and resilience against machine parameter alterations are compared. MATLAB/Simulink was used to conduct the simulations for the preceding study. Multiple simulations have shown very satisfying results, and the investigations demonstrate the efficacy and power-enhancing capabilities of the suggested control system.
ACEP Magazine edition 4th launched on 05.06.2024
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
原版一模一样【微信:741003700 】【美国密歇根州立大学毕业证学位证书】【微信:741003700 】学位证,留信认证(真实可查,永久存档)offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
Comparative analysis between traditional aquaponics and reconstructed aquapon...
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
The Fourth Industrial Revolution is transforming industries, including healthcare, by integrating digital,
physical, and biological technologies. This study examines the integration of 4.0 technologies into
healthcare, identifying success factors and challenges through interviews with 70 stakeholders from 33
countries. Healthcare is evolving significantly, with varied objectives across nations aiming to improve
population health. The study explores stakeholders' perceptions on critical success factors, identifying
challenges such as insufficiently trained personnel, organizational silos, and structural barriers to data
exchange. Facilitators for integration include cost reduction initiatives and interoperability policies.
Technologies like IoT, Big Data, AI, Machine Learning, and robotics enhance diagnostics, treatment
precision, and real-time monitoring, reducing errors and optimizing resource utilization. Automation
improves employee satisfaction and patient care, while Blockchain and telemedicine drive cost reductions.
Successful integration requires skilled professionals and supportive policies, promising efficient resource
use, lower error rates, and accelerated processes, leading to optimized global healthcare outcomes.
Recently uploaded (20)
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
The Python for beginners. This is an advance computer language.
The Python for beginners. This is an advance computer language.
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
Introduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptx
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
Vault - Enhancement for K8S secret security
- 2. Sensitive data & Secrets problem 2
- 3. Vault – why ? ● Need of centralization of source of truth (for secret) ● Data encryption (not plain text) ● Tracking of credentials access by audit log ● leases/revoke mechanism for credentials 3
- 4. 4 • Platform for securely managing sensitive data with strong encryption • Controls access to secrets by authenticating against source of identity (LDAP, Kubernetes, AWS, GCP,…) • Policy & token for client accessibly Vault – what ?
- 5. 5 Vault – how ?
- 6. 6 Vault – how ?
- 7. Vault – survival guide for dev (1/2) 7 1. Volumes (for Vault) - secret for dedicated ServiceAccount - mountVolume for credentials get from Vault server 2. Dedicated ServiceAccount (vault-auth-<svc_name>) – use to authenticate with Vault server 3. New Parameters at application’s values.yaml: - vaultServer
- 8. 8 Vault – survival guide for dev (1/2)
- 9. Vault – Demo !!! 9 SHOW UP TIME
- 10. Vault – Demo !!! 10 Questions & Answers