SlideShare une entreprise Scribd logo

Commit 2024 Secrets Management Made Easy

A
Alfredo García Lavilla

Leveraging Sealed Secrets for Secure, Enterprise-Grade Solutions

Technologie
1  sur  29
Télécharger pour lire hors ligne
Secrets Management Made Easy Leveraging Sealed Secrets for Secure, Enterprise-Grade Solutions Alfredo García Engineering Manager @ VMware
Agenda ■ Kubernetes Secrets ∘ Security Models & Common issues ■ Sealed Secrets OSS ∘ History, OSS project, philosophy, GitOps, Architecture & base use case ■ Basic flow & Advanced Sealed Secrets features ∘ Use cases & best practices ■ Demo time ■ Beyond Sealed Secret
3 Sealed Secrets maintainers Meet the team! Alejandro Moreno github.com/alemorcuq Alfredo García github.com/agarcia-oss Alvaro Neira github.com/alvneiayu
Kubernetes Secrets Security Models and Common Issues
5 Kubernetes Secrets How do they look like? Kubernetes Secrets are native Resource Definitions designed to hold secret data. But they are not encrypted, they need to be ready to be consumed by Pods.
6 Kubernetes Secrets And then you encrypt them… right?
7 Kubernetes Secrets Types Secret Type Use case Opaque Arbitrary user-defined secrets, as in previous example. kubernetes.io/service-account-token ServiceAccount token kubernetes.io/dockercfg Serialized ~/.dockercfg file kubernetes.io/dockerconfigjson Serialized ~/.docker/config.json file kubernetes.io/basic-auth Credentials for basic authentication kubernetes.io/ssh-auth Credentials for SSH authentication kubernetes.io/tls Data for a TLS client or server bootstrap.kubernetes.io/token Bootstrap token data
8 Secret Management Options Different models and tradeoffs Native Kubernetes Secrets KMS systems Sealed Secrets Hybrid models
Sealed Secrets Open Source Backstory & Status of the Open Source Project
10 15+ years building and maintaining software packages Bitnami is a Catalog of Free Open-Source Software Local Cloud Data Center Over 180 applications, components, frameworks, templates, and more, including… Any Environment Any Format Any Platform Virtual Machines Containers Deployment Templates
11 Sealed Secrets as an OSS project Main features Sealed Secrets CLI (kubeseal) to seal Kubernetes Secrets. The Sealed Secrets controller unseals Sealed Secrets into their equivalent Kubernetes Secrets. Sealed Secrets can be stored safely in the code repository, next to the rest of deployment configuration. Kubeseal - CLI tool Kubernetes controller Code repository Sealed Secrets: Simple, safe & popular GitOps flow for secrets with 3 components:
12 Key metrics Sealed Secrets as an OSS project 7K GitHub stars 200M monthly downloads in DockerHub +10K OSS projects using Sealed Secrets 902 Pull Requests 461 solved issues
13 Sealed Secrets as an OSS project Sealed Secrets is downloaded 100x times more often than other key applications on the security ecosystem. More metrics
14 Sealed Secrets as an OSS project Domain Monthly downloads % of total downloads microsoft.com 22,122,490 47.98% google.com 17,605,812 38.18% amazon.com 3,459,777 7.54% 21vbluecloud.com 605,663 1.31% monaco-telecom.mc 480,258 1.04% beeksfinancialcloud.com 279,665 0.66% pulsepoint.com 269,564 0.58% huaweicloud.com 234,600 0.50% softlayer.com 169,501 0.36% digitalocean.com 137,255 0.29%
15 Sealed Secrets as an OSS project
Basic flow & Advanced Sealed Secrets features Use cases & best practices
17 Sealed Secrets Basic flow How it works kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
18 Secret management best practices General advice Rotate Secrets Remember to rotate your secrets often, so no need to worry about re-sealing them. Least privilege Follow the least privilege principle on secret access, reduce blast radius. Don't leak your keys The less you share or copy them around the better.
19 Key Management Under the hood kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller Older TLS Sealing Secret TLS Sealing Secret Kubernetes cluster etcd node Create Keep ● Key pairs are plain TLS secrets named sealed-secrets-... ○ They are managed by Sealed Secrets so you don't need to. Certificate / pub key
20 Sometimes, defaults don't cut it or something doesn't go as planned Compromised unseal key You must move the controller to a new sealing keypair. Then rotate your secrets, they are also compromised. Taking over secrets You can annotate sealed secrets to control existing secrets. Updating secrets kubeseal allows you to update or append sealed secrets keys. Offline certs By default kubeseal uses the latest cluster sealing certificate for you. But you can set a certificate to be used offline, if you really need to. Advanced features Use as needed
21 It might be difficult to realize how simple and safe the basic flow is… …Until you compare with other flows enabled by advanced features or options. Scoping Secrets are sealed for a particular secret name and namespace by default. Relaxing scoping means cluster neighbours can take a peek. Re-sealing Sealing keys are renovated every 30 days by default, but old keys are kept. But you can reseal the same secret again with the newer sealing key, if needed. Still why would you need it if you were rotating your secrets as you should? Sealing keys are just secrets You can manage them on the side, but should you? Advanced features Use with caution!
Demo Time
23 Sealed Secrets Use cases Installing Sealed Secrets Prerequisites: ● K8S cluster (minikube in our case) ● Helm installed locally.
24 Sealed Secrets Use cases Sealing a Secret Plain Secret Base64 Secret Encrypted Secret
25 Sealed Secrets Use cases Managing existing Secrets Managed annotation for Sealed Secrets Secret is now under Sealed Secrets control
26 Sealed Secrets Use cases Encryption Keys Fetch public key … And use it locally …
Beyond Sealed Secrets
28 Standalone Sealed Secrets are good, with GitOps friends they’re even better! The best practice with Sealed secrets is to stick to its default flow. Favour simple approaches Automate Everything Beyond Sealed Secrets Parting words kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
¡Gracias! github.com/bitnami-labs/sealed-secrets

Recommandé

Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...Alfredo García Lavilla
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed SecretsKnoldus Inc.
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationKnoldus Inc.
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWSKasun Madura Rathnayaka
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 

Recommandé

Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...Alfredo García Lavilla
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed SecretsKnoldus Inc.
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationKnoldus Inc.
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWSKasun Madura Rathnayaka
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Kubernetes Sealed secrets
Kubernetes Sealed secretsKubernetes Sealed secrets
Kubernetes Sealed secretsSebastien Goasguen
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption MythsHighCloud Security
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...Codemotion
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsGabriel Schuyler
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Prasta Maha
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Contenu connexe

Similaire à Commit 2024 Secrets Management Made Easy

Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...Codemotion
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsGabriel Schuyler
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Prasta Maha
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 

Similaire à Commit 2024 Secrets Management Made Easy (20)

Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Kubernetes Sealed secrets
Kubernetes Sealed secretsKubernetes Sealed secrets
Kubernetes Sealed secrets
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native Workloads
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
 

Dernier

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Dernier (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Commit 2024 Secrets Management Made Easy

  • 1. Secrets Management Made Easy Leveraging Sealed Secrets for Secure, Enterprise-Grade Solutions Alfredo García Engineering Manager @ VMware
  • 2. Agenda ■ Kubernetes Secrets ∘ Security Models & Common issues ■ Sealed Secrets OSS ∘ History, OSS project, philosophy, GitOps, Architecture & base use case ■ Basic flow & Advanced Sealed Secrets features ∘ Use cases & best practices ■ Demo time ■ Beyond Sealed Secret
  • 3. 3 Sealed Secrets maintainers Meet the team! Alejandro Moreno github.com/alemorcuq Alfredo García github.com/agarcia-oss Alvaro Neira github.com/alvneiayu
  • 5. 5 Kubernetes Secrets How do they look like? Kubernetes Secrets are native Resource Definitions designed to hold secret data. But they are not encrypted, they need to be ready to be consumed by Pods.
  • 6. 6 Kubernetes Secrets And then you encrypt them… right?
  • 7. 7 Kubernetes Secrets Types Secret Type Use case Opaque Arbitrary user-defined secrets, as in previous example. kubernetes.io/service-account-token ServiceAccount token kubernetes.io/dockercfg Serialized ~/.dockercfg file kubernetes.io/dockerconfigjson Serialized ~/.docker/config.json file kubernetes.io/basic-auth Credentials for basic authentication kubernetes.io/ssh-auth Credentials for SSH authentication kubernetes.io/tls Data for a TLS client or server bootstrap.kubernetes.io/token Bootstrap token data
  • 8. 8 Secret Management Options Different models and tradeoffs Native Kubernetes Secrets KMS systems Sealed Secrets Hybrid models
  • 9. Sealed Secrets Open Source Backstory & Status of the Open Source Project
  • 10. 10 15+ years building and maintaining software packages Bitnami is a Catalog of Free Open-Source Software Local Cloud Data Center Over 180 applications, components, frameworks, templates, and more, including… Any Environment Any Format Any Platform Virtual Machines Containers Deployment Templates
  • 11. 11 Sealed Secrets as an OSS project Main features Sealed Secrets CLI (kubeseal) to seal Kubernetes Secrets. The Sealed Secrets controller unseals Sealed Secrets into their equivalent Kubernetes Secrets. Sealed Secrets can be stored safely in the code repository, next to the rest of deployment configuration. Kubeseal - CLI tool Kubernetes controller Code repository Sealed Secrets: Simple, safe & popular GitOps flow for secrets with 3 components:
  • 12. 12 Key metrics Sealed Secrets as an OSS project 7K GitHub stars 200M monthly downloads in DockerHub +10K OSS projects using Sealed Secrets 902 Pull Requests 461 solved issues
  • 13. 13 Sealed Secrets as an OSS project Sealed Secrets is downloaded 100x times more often than other key applications on the security ecosystem. More metrics
  • 14. 14 Sealed Secrets as an OSS project Domain Monthly downloads % of total downloads microsoft.com 22,122,490 47.98% google.com 17,605,812 38.18% amazon.com 3,459,777 7.54% 21vbluecloud.com 605,663 1.31% monaco-telecom.mc 480,258 1.04% beeksfinancialcloud.com 279,665 0.66% pulsepoint.com 269,564 0.58% huaweicloud.com 234,600 0.50% softlayer.com 169,501 0.36% digitalocean.com 137,255 0.29%
  • 15. 15 Sealed Secrets as an OSS project
  • 16. Basic flow & Advanced Sealed Secrets features Use cases & best practices
  • 17. 17 Sealed Secrets Basic flow How it works kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
  • 18. 18 Secret management best practices General advice Rotate Secrets Remember to rotate your secrets often, so no need to worry about re-sealing them. Least privilege Follow the least privilege principle on secret access, reduce blast radius. Don't leak your keys The less you share or copy them around the better.
  • 19. 19 Key Management Under the hood kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller Older TLS Sealing Secret TLS Sealing Secret Kubernetes cluster etcd node Create Keep ● Key pairs are plain TLS secrets named sealed-secrets-... ○ They are managed by Sealed Secrets so you don't need to. Certificate / pub key
  • 20. 20 Sometimes, defaults don't cut it or something doesn't go as planned Compromised unseal key You must move the controller to a new sealing keypair. Then rotate your secrets, they are also compromised. Taking over secrets You can annotate sealed secrets to control existing secrets. Updating secrets kubeseal allows you to update or append sealed secrets keys. Offline certs By default kubeseal uses the latest cluster sealing certificate for you. But you can set a certificate to be used offline, if you really need to. Advanced features Use as needed
  • 21. 21 It might be difficult to realize how simple and safe the basic flow is… …Until you compare with other flows enabled by advanced features or options. Scoping Secrets are sealed for a particular secret name and namespace by default. Relaxing scoping means cluster neighbours can take a peek. Re-sealing Sealing keys are renovated every 30 days by default, but old keys are kept. But you can reseal the same secret again with the newer sealing key, if needed. Still why would you need it if you were rotating your secrets as you should? Sealing keys are just secrets You can manage them on the side, but should you? Advanced features Use with caution!
  • 23. 23 Sealed Secrets Use cases Installing Sealed Secrets Prerequisites: ● K8S cluster (minikube in our case) ● Helm installed locally.
  • 24. 24 Sealed Secrets Use cases Sealing a Secret Plain Secret Base64 Secret Encrypted Secret
  • 25. 25 Sealed Secrets Use cases Managing existing Secrets Managed annotation for Sealed Secrets Secret is now under Sealed Secrets control
  • 26. 26 Sealed Secrets Use cases Encryption Keys Fetch public key … And use it locally …
  • 28. 28 Standalone Sealed Secrets are good, with GitOps friends they’re even better! The best practice with Sealed secrets is to stick to its default flow. Favour simple approaches Automate Everything Beyond Sealed Secrets Parting words kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret