Hands-on with Vault on Kubernetes

Transcript

1. © 2018 HashiCorp Hands-on with Vault on Kubernetes O’Reilly OSCON

   July 16, 2019 1

2. ▪ Anubhav Mishra (@build1point0) ▪ Rosemary Wang (@joatmon08) ▪ Developer

   Advocates from HashiCorp Your Facilitators 2

3. ▪ Explain why Vault on Kubernetes ▪ Deploy a Vault

   cluster on Kubernetes. – Set up for high availability – Demonstrate (some) production hardening approaches ▪ Retrieve secrets from Vault for an application. – Dynamic retrieval – Native Kubernetes integrations Objectives 3

4. © 2018 HashiCorp A Quick Introduction: Kubernetes 4

5. Orchestrates, organizes, and manages containers. ▪ Resource Definitions extend the

   Kubernetes API ▪ Definitions specified in JSON or YAML ▪ Consists of master and node architecture What is Kubernetes? 5

6. Architecture 6

7. Pods are grouping of containers, volumes, and networking. Deployment maintains

   the desired number of application pods. StatefulSet provides sticky identity for pods that require some preservation of state. DaemonSet deploys a pod per node. Useful Constructs 7

8. Encoded but stored in plaintext, with little access control or

   management. Need a secrets manager. Options include: ▪ Public Cloud Key Management Service ▪ HashiCorp Vault Kubernetes Secrets 8

9. © 2018 HashiCorp A Quick Introduction: Vault 9

10. Manages secrets & protect sensitive data. ▪ Secure, store, and

    control access ▪ For tokens, passwords, certificates, and encryption keys ▪ Has a UI, CLI, and HTTP API What is Vault? 10

11. 11

12. ▪ Alternative to plaintext secrets ▪ Distributed ▪ Declarative policies

    for access control ▪ Eases Vault cluster lifecycle management ▪ Manages secrets lifecycle (rotation, revocation) ▪ Can be sidecar for application (lower latency) Why on Kubernetes? 12

13. ▪ Multi-tenancy? ▪ Container security measures? ▪ Manual vs. Automation

    Consider... 13

14. © 2018 HashiCorp Important Vault Concepts 14

15. ▪ Secret is anything used for authentication and authorization –

    Tokens – Passwords – Certificates ▪ Sensitive is anything that is confidential – SSN, Credit Card, Email, PII, etc Secret 15

16. When starting, Vault is sealed. ▪ This keeps data encrypted

    with a master key. ▪ It’s split into shards using Shamir’s Secret Sharing algorithm. Seal 16

17. To retrieve secrets, we need to unseal Vault. ▪ This

    means reconstructing the master key. ▪ Needs enough shards in order to properly unseal. Unseal 17

18. We mitigate the attack surface with ephemerality. ▪ Data has

    Time to Live (TTL), listed in a lease. ▪ After TTL has expired… – Lessee must renew – OR Vault automatically revokes by invalidating secret Lease, Renew, & Revoke 18

19. Authenticates an identity. ▪ Can have dynamic tokens created from

    auth methods. ▪ One or more policies can be attached to tokens. ▪ There is a root token, the one token to rule them all. USE WITH CAUTION. Tokens 19

20. Declaratively grants or forbids access to paths and operations. Policies

    path "secret/*" { capabilities = ["create", "read", "update", "delete", "list"] } 20

21. © 2018 HashiCorp Getting Started 21

22. Material is mostly cloud provider agnostic. ▪ Need easy way

    to get (larger) Kubernetes clusters ▪ Variations in workstations = tough for workshops ▪ Auto-unseal requires key management service Credit to Seth Vargo’s workshop for Vault on GKE. Why are we using GCP? 22

23. Patterns in this workshop can be extended or dismissed. The

    material in this workshop requires additional work for complete production hardening (like process for revoking the root token.) Disclaimer 23

24. Go to https://console.cloud.google.com ▪ Google Cloud Platform account? ▪ Project

    with Owner access? ▪ Google Cloud Shell? Pre-Flight Checklist 24

25. © 2018 HashiCorp Workshop 25

26. hashi.co/oscon-workshop (Instructions in README.md.) Repository 26

27. 27

28. © 2018 HashiCorp Thank you! Mishra (@build1point0) & Rosemary (@joatmon08)

    https://github.com/hashicorp/hands-on-with-vault-on-kubernetes 28