Download as PDF, PPTX
Uploaded byJerry Jalava
Secrets in Kubernetes
Jerry Jalava discusses the importance of managing sensitive information in applications, particularly in the context of Kubernetes and Docker. He highlights the risks of exposing secrets like database or API credentials, sharing cautionary anecdotes of developers facing significant consequences. The document also explains Kubernetes secrets and config maps, their functionalities, and best practices for secure usage.
Technologyā¦
More Related Content
![UiPath Automation Suite Installation (Hands-On) [2/3]](https://cdn.slidesharecdn.com/ss_thumbnails/automationsuitecommunitysession2-251015095633-a6d862f1-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Secrets in Kubernetes
- 1. Senior System Architect,Google Developer Expert, Authorised Trainer SECRETS IN KUBERNETES JERRY JALAVA JERRY@QVIK.FI | @W_I
- 2. WHAT SECRETS DO APPLICATIONSHAVE? QUESTION @QVIK
- 3. COMMON SECRETS ā£ Databasecredentials ā£ API credentials & endpoints (Twitter, FB, etc.) ā£ Infrastructure API credentials (Google, AWS, Azure) ā£ Private (TLS) Keys (careful here) ā£ Etc. @QVIKPhotos: CC0 License, https://www.pexels.com
- 4. IāLL JUST INCLUDETHEM WITH MY CODEā¦ WELL, EASY ENOUGHā¦ @QVIK
- 5.
- 6. JUST AS ANEXAMPLE Dev put AWS keys on Github. Bots are crawling all over GitHub seeking secret keysā¦ "When I woke up the next morning, I had emails and a missed phone call from Amazon AWS - ~140 servers running on my AWS account" - a developer served with a $2,375 Bitcoin mining bill http://www.theregister.co.uk/ @QVIKPhotos: CC0 License, https://www.pexels.com
- 7. IāLL JUST INCLUDETHEM IN MY CONTAINERā¦ WELL, EASY ENOUGHā¦ @QVIK
- 8.
- 9. DOCKER is about transportableand executable code. Containers can be inspected, exported and published publicly. Putting sensitive material inside Docker Container is NOT a good idea. @QVIK
- 10. THE TWELVE-FACTOR APP ā£http://12factor.net/ ā£ Methodology for building software-as-a-service apps, collection of best practises ā£ Suggests following: ā£ Store conļ¬g in the environment ā£ conļ¬g is everything that is likely to vary between deploys @QVIK
- 11. KUBERNETES (K8s) ā£ AncientGreek for āpilotā or āhelmsmanā; root of the English word āgovernorā ā£ Orchestrator for containers ā£ Supports multi-cloud environments ā£ Started by Google ā£ Open source ā£ Manage applications, not machines @QVIK
- 12. MAIN COMPONENTS PODS Ephemeral units usedto manage 1-n tightly coupled containers LABELS Metadata attached to objects such as Pods. Enable organization and selection of objects REPLICATION CONTROLLERS Manages requested number of Pod āreplicasā from deļ¬ned template 1 2 3 SERVICES Low overhead load- balancing of requests to set of Pods based on Labels 4 @QVIK
- 13.
- 14. WHAT ARE THEY? ā£K8s Secret-objects are ļ¬rst-class citizens in the ecosystem ā£ Designed to hold all kinds of sensitive information in safe and ļ¬exible way. ā£ They can be used by Pods (FS & Env) and the underlying kubelet when pulling images @QVIK
- 15. PROS ā£ Secrets canbe mounted as data volumes or be exposed as environment variables to be used by a container in a pod ā£ A secret is only sent to a node if a pod on that node requires it ā£ Secret data on nodes is stored in tmpfs volumes and thus does not come to rest on the node ā£ Communication between user to the api-server, and from api-server to the kubelets, is protected by SSL/TLS @QVIK
- 16. CONS ā£ In theAPI server secret data is stored as plaintext in etcd, therefore: ā£ Administrators should limit access to etcd to admin users ā£ Secret data in the API server is at rest on the disk that etcd uses (wipe/shred disks when not used) ā£ It is not possible currently to control which users of a K8s cluster can access a secret (Support planned) ā£ It is still possible to accidentally push the Secrets deļ¬nition to version control @QVIK
- 17. GOTCHAS ā£ A Secretneeds to be created before any pods that depend on it ā£ Individual secrets are limited to 1MB in size ā£ They can only be referenced by pods in same namespace ā£ Once a pod is started, its secret volumes will not change, even if the secret resource is modiļ¬ed ā£ It is not possible currently to check what resource version of a secret object was used when a pod was created (planned feature) ā£ The key must be formatted as DNS subdomain (leading dots allowed), with max length of 253 characters @QVIK
- 18. EXAMPLES ā£ echo "admin"> ./username.txt && echo "1f2d1e2e67df" > ./ password.txt ā£ kubectl create secret generic db-user-pass --from-ļ¬le=./ username.txt --from-ļ¬le=./password.txt ā£ echo "admin" | base64 ā£ kubectl create -f ./mysecret.yaml @QVIK
- 19.
- 20.
- 21. WHAT ARE THEY? ā£key-value pairs of conļ¬guration data ā£ Similar to Secrets, but designed to more conveniently support working with strings that do not contain sensitive information ā£ Can be used to store ļ¬ne-grained information like individual properties or coarse-grained information like entire conļ¬g ļ¬les or JSON blobs @QVIK
- 22.
- 23. RESOURCES ā£ https://github.com/jerryjj/devsec_050416 ā£ http://kubernetes.io/docs/ ā£http://12factor.net/ @QVIK
- 24.