Secrets Management in Kubernetes Umgebungen mit HashiCorp Vault

Transcript

1. © 2020 HashiCorp Kapil Arora Senior Solutions Engineer HashiCorp DACH

   https://www.kaparora.com 1 Secrets Management in Kubernetes Umgebungen mit HashiCorp Vault HashiTalks DACH Dezember 3, 2020

2. © 2020 HashiCorp Agenda Best Practices Vault and Kubernetes Installation

   with Helm Vault Overview 2 Agent Injection Demo

3. © 2020 HashiCorp Vault Overview

4. Vault Overview

5. © 2020 HashiCorp Vault and Kubernetes

6. 1. Helm Chart 2. Kubernetes Auth method 3. Agent sidecar

   injector 4. Vault Secrets with CSI Vault & Kubernetes https://learn.hashicorp.com/collections/vault/kubernetes

7. © 2020 HashiCorp Vault installation in Kubernetes using Helm

8. 1. Ease of deployment – A single CLI command to

   create multiple resources 2. Templating – Provide defaults with overrides 3. Versioning – Provide backward. Forward support and repeatability Helm Chart

9. ▪ GitHub – https://github.com/hashicorp/vault-helm ▪ Documentation – https://www.vaultproject.io/docs/platform/k8s/helm ▪ HashiCorp

   Helm Repo – https://helm.releases.hashicorp.com ▪ Modes – Dev (server.dev.enabled) – Standalone – HA (server.ha.enabled) – External (injector.externalVaultAddr) Helm Chart

10. Helm Install > helm repo add hashicorp https://helm.releases.hashicorp.com “Hashicorp” has

    been added to your repositories > helm search repo hashicorp/consul ... hashicorp/vault … > helm install vault hashicorp/vault NAME: vault ... TERMINAL

11. © 2020 HashiCorp Kubernetes Auth Method

12. 1. Enable Kubernetes authentication 2. Configure the authentication 3. Define

    roles Kubernetes Auth Steps

13. Define a Service Account TERMINAL > kubectl apply - <<EOF

    apiVersion: v1 kind: ServiceAccount metadata: name: k8s-service-acct EOF

14. Vault Agent Injector

15. Vault Unaware Pods How can the applications and the pods

    remain unaware of Vault?

16. CODE EDITOR spec: template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "internal-app"

    vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config"

17. Vault Agent Template

18. Vault Agent Template Released in Vault version 1.4 Provides a

    way to render the secrets managed by Vault Agent in a format useable by the application. Removes requirement for data manipulation with external tools or modification to application code.

19. CODE EDITOR spec: template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject-status: "update"

    vault.hashicorp.com/role: "internal-app" vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config" vault.hashicorp.com/agent-inject-template-database-config.txt: | {{- with secret "internal/data/database/config" -}} postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard {{- end -}}

20. Vault External to Kubernetes

21. Integrate a Kubernetes Cluster with an External Vault Tutorial https://learn.hashicorp.com/vault/kubernetes/external-vault

22. © 2020 HashiCorp Best Practices

23. ▪ Security Considerations – https://learn.hashicorp.com/tutorials/vault/kubern etes-security-concerns ▪ Reference Architecture –

    https://learn.hashicorp.com/tutorials/vault/kubern etes-reference-architecture Best Practices Resources

24. Demo https://github.com/kaparora/hashitalks-demo-nov-2020

25. Secret Injection with Container Storage Interface (CSI)

26. Container Storage Interface The Container Storage Interface (CSI) is a

    standard for exposing arbitrary block and file storage systems to containerized workloads on Container Orchestration Systems (COs) like Kubernetes. Using CSI third-party storage providers can write and deploy plugins exposing new storage systems in Kubernetes without ever having to touch the core Kubernetes code.

27. Secrets Store CSI Driver GitHub repository github.com/kubernetes-sigs/secrets-store-csi-driver

28. Container Storage Interface Secrets Store CSI driver for Kubernetes secrets

    - Integrates secrets stores with Kubernetes via a Container Storage Interface (CSI) volume. The Secrets Store CSI driver secrets-store.csi.k8s.io allows Kubernetes to mount multiple secrets, keys, and certs stored in enterprise-grade external secrets stores into their pods as a volume. Once the Volume is attached, the data in it is mounted into the container's file system.

29. Vault Provider GitHub repository github.com/hashicorp/secrets-store-csi-driver-provider-vault

30. 1. Install the secrets store CSI driver 2. Install the

    provider-vault executable 3. Define a SecretProviderClass Kubernetes resource 4. Define a pod with volume Secret Store CSI Config Steps

31. Secret injection with Vault Agent Injector https://learn.hashicorp.com/vault/kubernetes/sidecar Secrets with Container

    Storage Interface https://learn.hashicorp.com/vault/kubernetes/secret-store-driver External Vault https://learn.hashicorp.com/vault/kubernetes/external-vault Resources

32. Wrap-Up

33. Summary Vault integrates tightly with K8S Vault offers centralized secret

    management and identity brokering and also encryption as a services for K8S applications. Vault also offers a helm chart and agent injection functionality. Vault secrets can also be mounted using CSI integration

34. www.hashicorp.com [email protected] Thank you 34