Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your secret's safe with me

Your secret's safe with me

A look at secrets management in different container orchestrators and tools

Avatar for Liz Rice

Liz Rice

April 24, 2017
Tweet

More Decks by Liz Rice

Other Decks in Programming

Transcript

  1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Your secret’s safe with me Liz Rice @LizRice | @AquaSecTeam
  2. 3 Desirable security features for container secrets ▪ Encrypted ▪

    At rest and in transit ▪ Only decrypted in memory ▪ Access control ▪ Only accessible by containers that need them ▪ Life-cycle ▪ Rotation, revocation, audit logging @LizRice | @AquaSecTeam
  3. 4 Secret life-cycle ▪ Risk of leak increases over time

    ▪ Exploit ▪ Bad actor ▪ Accidental logging ▪ Change secret values (“rotation”) ▪ Token lifetime & use limit @LizRice | @AquaSecTeam
  4. 5 Tokens all the way down @LizRice | @AquaSecTeam ▪

    If your secret is in a secret store, how do you get access? ▪ How do you keep the access token secret? xkcd.com/1416
  5. 11 Docker Swarm @LizRice | @AquaSecTeam ▪ Secrets support built

    in ▪ Mounted to a temporary fs ▪ Encrypted transmission with mutual authentication
  6. 12 Docker Swarm @LizRice | @AquaSecTeam ▪ Secrets support built

    in ▪ Mounted to a temporary fs ▪ Encrypted transmission with mutual authentication ▪ Files, not env vars ▪ Restart service to change secret value ▪ RBAC in Enterprise Edition
  7. 13 Kubernetes @LizRice | @AquaSecTeam ▪ Stored unencrypted in etcd

    ▪ HTTP in transit by default ▪ Files and env vars ▪ Files support updating secret values ▪ Need to restart pod to get new env var value ▪ Files mounted into the host ▪ RBAC can be turned on --authorization-mode=RBAC
  8. 15 DC/OS @LizRice | @AquaSecTeam ▪ Encrypted in ZooKeeper ▪

    Access control by service path ▪ Env vars ▪ Restart service to update value
  9. 17 Nomad @LizRice | @AquaSecTeam ▪ Integrated with Vault ▪

    Tasks get tokens so they can retrieve values from Vault ▪ Poll for changed values ▪ Access control
  10. 18 Aqua secrets @LizRice | @AquaSecTeam ▪ Any orchestrator ▪

    Secrets encrypted in Vault, Amazon KMS or Aqua DB ▪ Env vars injected into container process memory ▪ Secret can be injected to a tempfs filesystem ▪ Supports updating secrets without restart of container ▪ Supports monitoring of secret usage ▪ Limit access to designated containers
  11. 20 Secrets decisions @LizRice | @AquaSecTeam Your best option depends

    on ▪ choice of orchestrator ▪ acceptable level of risk Aqua White Paper on secrets management coming very soon
  12. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Questions? Liz Rice @LizRice | @AquaSecTeam