Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your secret's safe with me

Liz Rice
April 24, 2017
Programming
0
82

Your secret's safe with me

A look at secrets management in different container orchestrators and tools

Liz Rice

April 24, 2017
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
10
eBPF's Abilities and Limitations: The Truth
lizrice
0
18
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
9
When is a Secure Connection not encrypted? And other stories
lizrice
1
17
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
460
How Many Proxies Do You Need
lizrice
1
100
eBPF for Security Observability
lizrice
0
1k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
1.9k
Contributing to Open Source - what's in it for my business?
lizrice
0
35

Other Decks in Programming

See All in Programming
Code Reviews
bkuhlmann
4
860
Java 22 Overview
kishida
1
160
チーム力を高めるスクラム実践法:カンバン公開と課題攻略について - ニフティのスクラムトーク Vol. 2 - NIFTY Tech Talk #18
niftycorp
PRO
1
110
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
330
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
360
App Router への移行は「改善」となり得るのか?/ Can migration to App Router be an improvement
takefumiyoshii
8
2.1k
プールにゆこう
irof
2
120
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
170
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
330
DDDはなぜ難しいのか / 良いコードの定義と設計能力の壁
pospome
28
10k
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
160
Designing for tomorrow's programming workflows
honnibal
PRO
2
110

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
35
2.5k
Statistics for Hackers
jakevdp
789
220k
What's in a price? How to price your products and services
michaelherold
237
11k
Fontdeck: Realign not Redesign
paulrobertlloyd
75
4.9k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
Design by the Numbers
sachag
274
18k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
The Language of Interfaces
destraynor
151
23k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
185
16k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
319
20k
Imperfection Machines: The Place of Print at Facebook
scottboms
258
12k
Visualization
eitanlees
135
14k

Transcript

  1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Your secret’s safe with me Liz Rice @LizRice | @AquaSecTeam

  2. 2 Secrets @LizRice | @AquaSecTeam

  3. 3 Desirable security features for container secrets ▪ Encrypted ▪

    At rest and in transit ▪ Only decrypted in memory ▪ Access control ▪ Only accessible by containers that need them ▪ Life-cycle ▪ Rotation, revocation, audit logging @LizRice | @AquaSecTeam

  4. 4 Secret life-cycle ▪ Risk of leak increases over time

    ▪ Exploit ▪ Bad actor ▪ Accidental logging ▪ Change secret values (“rotation”) ▪ Token lifetime & use limit @LizRice | @AquaSecTeam

  5. 5 Tokens all the way down @LizRice | @AquaSecTeam ▪

    If your secret is in a secret store, how do you get access? ▪ How do you keep the access token secret? xkcd.com/1416

  6. Passing secrets to containers

  7. 7 Bad places for secrets @LizRice | @AquaSecTeam ▪ Source

    code ▪ Dockerfiles / images

  8. 8 docker run -v VARNAME=secret ... Environment variables @LizRice |

    @AquaSecTeam

  9. 9 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice |

    @AquaSecTeam

  10. Orchestrator support for secrets

  11. 11 Docker Swarm @LizRice | @AquaSecTeam ▪ Secrets support built

    in ▪ Mounted to a temporary fs ▪ Encrypted transmission with mutual authentication

  12. 12 Docker Swarm @LizRice | @AquaSecTeam ▪ Secrets support built

    in ▪ Mounted to a temporary fs ▪ Encrypted transmission with mutual authentication ▪ Files, not env vars ▪ Restart service to change secret value ▪ RBAC in Enterprise Edition

  13. 13 Kubernetes @LizRice | @AquaSecTeam ▪ Stored unencrypted in etcd

    ▪ HTTP in transit by default ▪ Files and env vars ▪ Files support updating secret values ▪ Need to restart pod to get new env var value ▪ Files mounted into the host ▪ RBAC can be turned on --authorization-mode=RBAC

  14. 14 OpenShift @LizRice | @AquaSecTeam ▪ As Kubernetes, but with

    namespaced projects & RBAC

  15. 15 DC/OS @LizRice | @AquaSecTeam ▪ Encrypted in ZooKeeper ▪

    Access control by service path ▪ Env vars ▪ Restart service to update value

  16. 16 Rancher @LizRice | @AquaSecTeam ▪ Experimental secrets support

  17. 17 Nomad @LizRice | @AquaSecTeam ▪ Integrated with Vault ▪

    Tasks get tokens so they can retrieve values from Vault ▪ Poll for changed values ▪ Access control

  18. 18 Aqua secrets @LizRice | @AquaSecTeam ▪ Any orchestrator ▪

    Secrets encrypted in Vault, Amazon KMS or Aqua DB ▪ Env vars injected into container process memory ▪ Secret can be injected to a tempfs filesystem ▪ Supports updating secrets without restart of container ▪ Supports monitoring of secret usage ▪ Limit access to designated containers

  19. Summary

  20. 20 Secrets decisions @LizRice | @AquaSecTeam Your best option depends

    on ▪ choice of orchestrator ▪ acceptable level of risk Aqua White Paper on secrets management coming very soon

  21. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Questions? Liz Rice @LizRice | @AquaSecTeam