Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GitOps keeping it secret

Omer Levi Hevroni
June 02, 2020
Programming
1
86

GitOps keeping it secret

We all love GitOps - it simplifies a lot of our existing workflows. But when everything is committed to Git - how do we keep sensitive information secure? You don’t want to keep any secrets in Git where they are left open to anyone who has access to your repo. If you are embracing GitOps in your organization, application secrets should be protected somehow. How can we store those files on Git while keeping them secure? Join me to learn how!

Omer Levi Hevroni

June 02, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Continuous Hacking
omerlh
0
51
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
69

Other Decks in Programming

See All in Programming
よくできたテンプレート言語として TypeScript + JSX を利用する試み / Using TypeScript + JSX outside of Web Frontend #TSKaigiKansai
izumin5210
6
1.7k
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
260
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
Quine, Polyglot, 良いコード
qnighy
4
640
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.8k
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
Jakarta EE meets AI
ivargrimstad
0
650
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
620
みんなでプロポーザルを書いてみた
yuriko1211
0
260

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
88
5.7k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Building an army of robots
kneath
302
43k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Bash Introduction
62gerente
608
210k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Automating Front-end Workflow
addyosmani
1366
200k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Statistics for Hackers
jakevdp
796
220k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k

Transcript

  1. June 2020 Omer Levi Hevroni| AppSec Engineer| @omerlh Keeping a

    Secret – The GitOps Way

  2. @omerlh

  3. Manifests Files Code Traditional Deployment Kubernetes Icons Source: Kubernetes Community,

    Apache 2 license @omerlh Secret

  4. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh

  5. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret

  6. How do we keep a secrets?

  7. I’m a builder @omerlh

  8. AppSec Engineer @ Snyk @omerlh

  9. The Problem With Git https://www.specbee. com/blogs/git-best- practices-how-make- most-git

  10. OWASP Top 10

  11. Kubernetes Secrets @omerlh

  12. https://kubernetes.io/docs/concepts/configuration/secret/ @omerlh

  13. Secrets File Manifest @omerlh

  14. Well, that complicates things… http://i.imgur.com/5ebYy62.jpg @omerlh

  15. confidential A place for an image • Secrets that can

    be committed • Transparent for the app • Multiple solutions: • Helm Secrets • Sealed Secrets Encrypted Secrets? @omerlh

  16. A Sealed Secret @omerlh

  17. @omerlh

  18. • Key Management • Sealed Secret – Single keypair per

    deployment • Helm Secrets – Using SOPS • Coupling to a specific tool/cluster • Changes to secret requires decryption permissions Challenges @omerlh

  19. @omerlh

  20. Travis Encrypted Secrets https://docs.travis-ci.com/user/encryption-keys/ @omerlh

  21. Eureka! http://theunprofessionalblog.blogspot.com/2016/04/whatsapp-this-is-killing-me.html @omerlh

  22. Kamus Travis secret encryption – for Kubernetes

  23. • An open source project by Soluto • Allows to

    encrypt a secret for a specific application • Leveraging cloud encryption service (AWS/GCP KMS, Azure KeyVault) • HSM support • CRD support – for creating Kubernetes secrets What? @omerlh

  24. Service Account Token (JWT) @omerlh

  25. Encrypting for a specific application @omerlh

  26. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret (encrypted)

  27. Kamus? @omerlh

  28. Permissions Model Encrypt Decrypt User Yes No Pod Yes Only

    it’s secrets @omerlh

  29. Templating Support @omerlh

  30. KamusSecret @omerlh

  31. Storing a Reference Only confidential @omerlh

  32. confidential External Secret @omerlh https://github.com/godaddy/kubernetes-external-secrets

  33. Wrapping Up confidential @omerlh

  34. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret

  35. Solutions Kubernetes Secret (?) Sealed Secret External Secret @omerlh Kamus

  36. How do we keep a secrets? @omerlh

  37. Thank You @omerlh