Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GitOps keeping it secret

Omer Levi Hevroni
June 02, 2020
Programming
1
81

GitOps keeping it secret

We all love GitOps - it simplifies a lot of our existing workflows. But when everything is committed to Git - how do we keep sensitive information secure? You don’t want to keep any secrets in Git where they are left open to anyone who has access to your repo. If you are embracing GitOps in your organization, application secrets should be protected somehow. How can we store those files on Git while keeping them secure? Join me to learn how!

Omer Levi Hevroni

June 02, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
110
Continuous Hacking
omerlh
0
45
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
64

Other Decks in Programming

See All in Programming
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
260
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
170
今、知っておきたい! 生成AIエージェントの世界
elith
3
360
Goのmultiple errorsについて (2024年4月版)
syumai
3
710
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
180
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
220
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
310
Milestoner
bkuhlmann
1
410
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
700
Netty Chicago Java User Group 2024-04-17
sullis
0
170
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
Git Lint
bkuhlmann
4
750

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
For a Future-Friendly Web
brad_frost
172
9k
Side Projects
sachag
451
41k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
[RailsConf 2023] Rails as a piece of cake
palkan
23
3.9k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
The Power of CSS Pseudo Elements
geoffreycrofte
60
5k
YesSQL, Process and Tooling at Scale
rocio
164
13k
Gamification - CAS2011
davidbonilla
76
4.6k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k

Transcript

  1. June 2020 Omer Levi Hevroni| AppSec Engineer| @omerlh Keeping a

    Secret – The GitOps Way

  2. @omerlh

  3. Manifests Files Code Traditional Deployment Kubernetes Icons Source: Kubernetes Community,

    Apache 2 license @omerlh Secret

  4. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh

  5. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret

  6. How do we keep a secrets?

  7. I’m a builder @omerlh

  8. AppSec Engineer @ Snyk @omerlh

  9. The Problem With Git https://www.specbee. com/blogs/git-best- practices-how-make- most-git

  10. OWASP Top 10

  11. Kubernetes Secrets @omerlh

  12. https://kubernetes.io/docs/concepts/configuration/secret/ @omerlh

  13. Secrets File Manifest @omerlh

  14. Well, that complicates things… http://i.imgur.com/5ebYy62.jpg @omerlh

  15. confidential A place for an image • Secrets that can

    be committed • Transparent for the app • Multiple solutions: • Helm Secrets • Sealed Secrets Encrypted Secrets? @omerlh

  16. A Sealed Secret @omerlh

  17. @omerlh

  18. • Key Management • Sealed Secret – Single keypair per

    deployment • Helm Secrets – Using SOPS • Coupling to a specific tool/cluster • Changes to secret requires decryption permissions Challenges @omerlh

  19. @omerlh

  20. Travis Encrypted Secrets https://docs.travis-ci.com/user/encryption-keys/ @omerlh

  21. Eureka! http://theunprofessionalblog.blogspot.com/2016/04/whatsapp-this-is-killing-me.html @omerlh

  22. Kamus Travis secret encryption – for Kubernetes

  23. • An open source project by Soluto • Allows to

    encrypt a secret for a specific application • Leveraging cloud encryption service (AWS/GCP KMS, Azure KeyVault) • HSM support • CRD support – for creating Kubernetes secrets What? @omerlh

  24. Service Account Token (JWT) @omerlh

  25. Encrypting for a specific application @omerlh

  26. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret (encrypted)

  27. Kamus? @omerlh

  28. Permissions Model Encrypt Decrypt User Yes No Pod Yes Only

    it’s secrets @omerlh

  29. Templating Support @omerlh

  30. KamusSecret @omerlh

  31. Storing a Reference Only confidential @omerlh

  32. confidential External Secret @omerlh https://github.com/godaddy/kubernetes-external-secrets

  33. Wrapping Up confidential @omerlh

  34. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret

  35. Solutions Kubernetes Secret (?) Sealed Secret External Secret @omerlh Kamus

  36. How do we keep a secrets? @omerlh

  37. Thank You @omerlh