Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hands-on with Vault on Kubernetes

Hands-on with Vault on Kubernetes

This is the preamble for a hands-on workshop on Vault, a single binary secrets management system, to build a secrets management system for a production Kubernetes environment from scratch.

Initially presented at OSCON 2019.

Be8b596c46f4c9a1aec6a7586af33134?s=128

Rosemary Wang

July 16, 2019
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. © 2018 HashiCorp Hands-on with Vault on Kubernetes O’Reilly OSCON

    July 16, 2019 1
  2. ▪ Anubhav Mishra (@build1point0) ▪ Rosemary Wang (@joatmon08) ▪ Developer

    Advocates from HashiCorp Your Facilitators 2
  3. ▪ Explain why Vault on Kubernetes ▪ Deploy a Vault

    cluster on Kubernetes. – Set up for high availability – Demonstrate (some) production hardening approaches ▪ Retrieve secrets from Vault for an application. – Dynamic retrieval – Native Kubernetes integrations Objectives 3
  4. © 2018 HashiCorp A Quick Introduction: Kubernetes 4

  5. Orchestrates, organizes, and manages containers. ▪ Resource Definitions extend the

    Kubernetes API ▪ Definitions specified in JSON or YAML ▪ Consists of master and node architecture What is Kubernetes? 5
  6. Architecture 6

  7. Pods are grouping of containers, volumes, and networking. Deployment maintains

    the desired number of application pods. StatefulSet provides sticky identity for pods that require some preservation of state. DaemonSet deploys a pod per node. Useful Constructs 7
  8. Encoded but stored in plaintext, with little access control or

    management. Need a secrets manager. Options include: ▪ Public Cloud Key Management Service ▪ HashiCorp Vault Kubernetes Secrets 8
  9. © 2018 HashiCorp A Quick Introduction: Vault 9

  10. Manages secrets & protect sensitive data. ▪ Secure, store, and

    control access ▪ For tokens, passwords, certificates, and encryption keys ▪ Has a UI, CLI, and HTTP API What is Vault? 10
  11. 11

  12. ▪ Alternative to plaintext secrets ▪ Distributed ▪ Declarative policies

    for access control ▪ Eases Vault cluster lifecycle management ▪ Manages secrets lifecycle (rotation, revocation) ▪ Can be sidecar for application (lower latency) Why on Kubernetes? 12
  13. ▪ Multi-tenancy? ▪ Container security measures? ▪ Manual vs. Automation

    Consider... 13
  14. © 2018 HashiCorp Important Vault Concepts 14

  15. ▪ Secret is anything used for authentication and authorization –

    Tokens – Passwords – Certificates ▪ Sensitive is anything that is confidential – SSN, Credit Card, Email, PII, etc Secret 15
  16. When starting, Vault is sealed. ▪ This keeps data encrypted

    with a master key. ▪ It’s split into shards using Shamir’s Secret Sharing algorithm. Seal 16
  17. To retrieve secrets, we need to unseal Vault. ▪ This

    means reconstructing the master key. ▪ Needs enough shards in order to properly unseal. Unseal 17
  18. We mitigate the attack surface with ephemerality. ▪ Data has

    Time to Live (TTL), listed in a lease. ▪ After TTL has expired… – Lessee must renew – OR Vault automatically revokes by invalidating secret Lease, Renew, & Revoke 18
  19. Authenticates an identity. ▪ Can have dynamic tokens created from

    auth methods. ▪ One or more policies can be attached to tokens. ▪ There is a root token, the one token to rule them all. USE WITH CAUTION. Tokens 19
  20. Declaratively grants or forbids access to paths and operations. Policies

    path "secret/*" { capabilities = ["create", "read", "update", "delete", "list"] } 20
  21. © 2018 HashiCorp Getting Started 21

  22. Material is mostly cloud provider agnostic. ▪ Need easy way

    to get (larger) Kubernetes clusters ▪ Variations in workstations = tough for workshops ▪ Auto-unseal requires key management service Credit to Seth Vargo’s workshop for Vault on GKE. Why are we using GCP? 22
  23. Patterns in this workshop can be extended or dismissed. The

    material in this workshop requires additional work for complete production hardening (like process for revoking the root token.) Disclaimer 23
  24. Go to https://console.cloud.google.com ▪ Google Cloud Platform account? ▪ Project

    with Owner access? ▪ Google Cloud Shell? Pre-Flight Checklist 24
  25. © 2018 HashiCorp Workshop 25

  26. hashi.co/oscon-workshop (Instructions in README.md.) Repository 26

  27. 27

  28. © 2018 HashiCorp Thank you! Mishra (@build1point0) & Rosemary (@joatmon08)

    https://github.com/hashicorp/hands-on-with-vault-on-kubernetes 28