Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GitOps keeping it secret

Omer Levi Hevroni
June 02, 2020
Programming
1
84

GitOps keeping it secret

We all love GitOps - it simplifies a lot of our existing workflows. But when everything is committed to Git - how do we keep sensitive information secure? You don’t want to keep any secrets in Git where they are left open to anyone who has access to your repo. If you are embracing GitOps in your organization, application secrets should be protected somehow. How can we store those files on Git while keeping them secure? Join me to learn how!

Omer Levi Hevroni

June 02, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Continuous Hacking
omerlh
0
51
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
66

Other Decks in Programming

See All in Programming
/←このスケジュール表に立ち向かう フロントエンド開発戦略 / A front-end development strategy to tackle a single-slash schedule.
nrslib
1
590
Java ジェネリクス入門 2024
nagise
0
610
gopls を改造したら開発生産性が高まった
satorunooshie
8
240
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
440
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
530
約9000個の自動テストの 時間を50分->10分に短縮 Flakyテストを1%以下に抑えた話
hatsu38
23
11k
macOS でできる リアルタイム動画像処理
biacco42
7
2k
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160
破壊せよ!データ破壊駆動で考えるドメインモデリング / data-destroy-driven
minodriven
16
4.1k
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
440
Piniaの現状と今後
waka292
5
1.5k
役立つログに取り組もう
irof
27
8.7k

Featured

See All Featured
Gamification - CAS2011
davidbonilla
80
5k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Visualization
eitanlees
144
15k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Adopting Sorbet at Scale
ufuk
73
9k
What's new in Ruby 2.0
geeforr
342
31k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
The World Runs on Bad Software
bkeepers
PRO
65
11k

Transcript

  1. June 2020 Omer Levi Hevroni| AppSec Engineer| @omerlh Keeping a

    Secret – The GitOps Way

  2. @omerlh

  3. Manifests Files Code Traditional Deployment Kubernetes Icons Source: Kubernetes Community,

    Apache 2 license @omerlh Secret

  4. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh

  5. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret

  6. How do we keep a secrets?

  7. I’m a builder @omerlh

  8. AppSec Engineer @ Snyk @omerlh

  9. The Problem With Git https://www.specbee. com/blogs/git-best- practices-how-make- most-git

  10. OWASP Top 10

  11. Kubernetes Secrets @omerlh

  12. https://kubernetes.io/docs/concepts/configuration/secret/ @omerlh

  13. Secrets File Manifest @omerlh

  14. Well, that complicates things… http://i.imgur.com/5ebYy62.jpg @omerlh

  15. confidential A place for an image • Secrets that can

    be committed • Transparent for the app • Multiple solutions: • Helm Secrets • Sealed Secrets Encrypted Secrets? @omerlh

  16. A Sealed Secret @omerlh

  17. @omerlh

  18. • Key Management • Sealed Secret – Single keypair per

    deployment • Helm Secrets – Using SOPS • Coupling to a specific tool/cluster • Changes to secret requires decryption permissions Challenges @omerlh

  19. @omerlh

  20. Travis Encrypted Secrets https://docs.travis-ci.com/user/encryption-keys/ @omerlh

  21. Eureka! http://theunprofessionalblog.blogspot.com/2016/04/whatsapp-this-is-killing-me.html @omerlh

  22. Kamus Travis secret encryption – for Kubernetes

  23. • An open source project by Soluto • Allows to

    encrypt a secret for a specific application • Leveraging cloud encryption service (AWS/GCP KMS, Azure KeyVault) • HSM support • CRD support – for creating Kubernetes secrets What? @omerlh

  24. Service Account Token (JWT) @omerlh

  25. Encrypting for a specific application @omerlh

  26. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret (encrypted)

  27. Kamus? @omerlh

  28. Permissions Model Encrypt Decrypt User Yes No Pod Yes Only

    it’s secrets @omerlh

  29. Templating Support @omerlh

  30. KamusSecret @omerlh

  31. Storing a Reference Only confidential @omerlh

  32. confidential External Secret @omerlh https://github.com/godaddy/kubernetes-external-secrets

  33. Wrapping Up confidential @omerlh

  34. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret

  35. Solutions Kubernetes Secret (?) Sealed Secret External Secret @omerlh Kamus

  36. How do we keep a secrets? @omerlh

  37. Thank You @omerlh