Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your secret's safe with me

Liz Rice
April 24, 2017
Programming
0
84

Your secret's safe with me

A look at secrets management in different container orchestrators and tools

Liz Rice

April 24, 2017
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
240
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
140
When is a Secure Connection not encrypted? And other stories
lizrice
1
63
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
570
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
43

Other Decks in Programming

See All in Programming
cmp.Or に感動した
otakakot
3
220
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
210
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
910
Micro Frontends Unmasked Opportunities, Challenges, Alternatives
manfredsteyer
PRO
0
110
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
120
Remix on Hono on Cloudflare Workers
yusukebe
1
300
Contemporary Test Cases
maaretp
0
140
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
250
ヤプリ新卒SREの オンボーディング
masaki12
0
130
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100

Featured

See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
The Language of Interfaces
destraynor
154
24k
For a Future-Friendly Web
brad_frost
175
9.4k
Writing Fast Ruby
sferik
627
61k
A Philosophy of Restraint
colly
203
16k
Scaling GitHub
holman
458
140k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Cost Of JavaScript in 2023
addyosmani
45
6.8k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Facilitating Awesome Meetings
lara
50
6.1k

Transcript

  1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Your secret’s safe with me Liz Rice @LizRice | @AquaSecTeam

  2. 2 Secrets @LizRice | @AquaSecTeam

  3. 3 Desirable security features for container secrets ▪ Encrypted ▪

    At rest and in transit ▪ Only decrypted in memory ▪ Access control ▪ Only accessible by containers that need them ▪ Life-cycle ▪ Rotation, revocation, audit logging @LizRice | @AquaSecTeam

  4. 4 Secret life-cycle ▪ Risk of leak increases over time

    ▪ Exploit ▪ Bad actor ▪ Accidental logging ▪ Change secret values (“rotation”) ▪ Token lifetime & use limit @LizRice | @AquaSecTeam

  5. 5 Tokens all the way down @LizRice | @AquaSecTeam ▪

    If your secret is in a secret store, how do you get access? ▪ How do you keep the access token secret? xkcd.com/1416

  6. Passing secrets to containers

  7. 7 Bad places for secrets @LizRice | @AquaSecTeam ▪ Source

    code ▪ Dockerfiles / images

  8. 8 docker run -v VARNAME=secret ... Environment variables @LizRice |

    @AquaSecTeam

  9. 9 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice |

    @AquaSecTeam

  10. Orchestrator support for secrets

  11. 11 Docker Swarm @LizRice | @AquaSecTeam ▪ Secrets support built

    in ▪ Mounted to a temporary fs ▪ Encrypted transmission with mutual authentication

  12. 12 Docker Swarm @LizRice | @AquaSecTeam ▪ Secrets support built

    in ▪ Mounted to a temporary fs ▪ Encrypted transmission with mutual authentication ▪ Files, not env vars ▪ Restart service to change secret value ▪ RBAC in Enterprise Edition

  13. 13 Kubernetes @LizRice | @AquaSecTeam ▪ Stored unencrypted in etcd

    ▪ HTTP in transit by default ▪ Files and env vars ▪ Files support updating secret values ▪ Need to restart pod to get new env var value ▪ Files mounted into the host ▪ RBAC can be turned on --authorization-mode=RBAC

  14. 14 OpenShift @LizRice | @AquaSecTeam ▪ As Kubernetes, but with

    namespaced projects & RBAC

  15. 15 DC/OS @LizRice | @AquaSecTeam ▪ Encrypted in ZooKeeper ▪

    Access control by service path ▪ Env vars ▪ Restart service to update value

  16. 16 Rancher @LizRice | @AquaSecTeam ▪ Experimental secrets support

  17. 17 Nomad @LizRice | @AquaSecTeam ▪ Integrated with Vault ▪

    Tasks get tokens so they can retrieve values from Vault ▪ Poll for changed values ▪ Access control

  18. 18 Aqua secrets @LizRice | @AquaSecTeam ▪ Any orchestrator ▪

    Secrets encrypted in Vault, Amazon KMS or Aqua DB ▪ Env vars injected into container process memory ▪ Secret can be injected to a tempfs filesystem ▪ Supports updating secrets without restart of container ▪ Supports monitoring of secret usage ▪ Limit access to designated containers

  19. Summary

  20. 20 Secrets decisions @LizRice | @AquaSecTeam Your best option depends

    on ▪ choice of orchestrator ▪ acceptable level of risk Aqua White Paper on secrets management coming very soon

  21. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Questions? Liz Rice @LizRice | @AquaSecTeam