Slide 1

Slide 1 text

June 2020 Omer Levi Hevroni| AppSec Engineer| @omerlh Keeping a Secret – The GitOps Way

Slide 2

Slide 2 text

@omerlh

Slide 3

Slide 3 text

Manifests Files Code Traditional Deployment Kubernetes Icons Source: Kubernetes Community, Apache 2 license @omerlh Secret

Slide 4

Slide 4 text

Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes Community, Apache 2 license @omerlh

Slide 5

Slide 5 text

Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes Community, Apache 2 license @omerlh Secret

Slide 6

Slide 6 text

How do we keep a secrets?

Slide 7

Slide 7 text

I’m a builder @omerlh

Slide 8

Slide 8 text

AppSec Engineer @ Snyk @omerlh

Slide 9

Slide 9 text

The Problem With Git https://www.specbee. com/blogs/git-best- practices-how-make- most-git

Slide 10

Slide 10 text

OWASP Top 10

Slide 11

Slide 11 text

Kubernetes Secrets @omerlh

Slide 12

Slide 12 text

https://kubernetes.io/docs/concepts/configuration/secret/ @omerlh

Slide 13

Slide 13 text

Secrets File Manifest @omerlh

Slide 14

Slide 14 text

Well, that complicates things… http://i.imgur.com/5ebYy62.jpg @omerlh

Slide 15

Slide 15 text

confidential A place for an image ● Secrets that can be committed ● Transparent for the app ● Multiple solutions: ● Helm Secrets ● Sealed Secrets Encrypted Secrets? @omerlh

Slide 16

Slide 16 text

A Sealed Secret @omerlh

Slide 17

Slide 17 text

@omerlh

Slide 18

Slide 18 text

● Key Management ● Sealed Secret – Single keypair per deployment ● Helm Secrets – Using SOPS ● Coupling to a specific tool/cluster ● Changes to secret requires decryption permissions Challenges @omerlh

Slide 19

Slide 19 text

@omerlh

Slide 20

Slide 20 text

Travis Encrypted Secrets https://docs.travis-ci.com/user/encryption-keys/ @omerlh

Slide 21

Slide 21 text

Eureka! http://theunprofessionalblog.blogspot.com/2016/04/whatsapp-this-is-killing-me.html @omerlh

Slide 22

Slide 22 text

Kamus Travis secret encryption – for Kubernetes

Slide 23

Slide 23 text

● An open source project by Soluto ● Allows to encrypt a secret for a specific application ● Leveraging cloud encryption service (AWS/GCP KMS, Azure KeyVault) ● HSM support ● CRD support – for creating Kubernetes secrets What? @omerlh

Slide 24

Slide 24 text

Service Account Token (JWT) @omerlh

Slide 25

Slide 25 text

Encrypting for a specific application @omerlh

Slide 26

Slide 26 text

Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes Community, Apache 2 license @omerlh Secret (encrypted)

Slide 27

Slide 27 text

Kamus? @omerlh

Slide 28

Slide 28 text

Permissions Model Encrypt Decrypt User Yes No Pod Yes Only it’s secrets @omerlh

Slide 29

Slide 29 text

Templating Support @omerlh

Slide 30

Slide 30 text

KamusSecret @omerlh

Slide 31

Slide 31 text

Storing a Reference Only confidential @omerlh

Slide 32

Slide 32 text

confidential External Secret @omerlh https://github.com/godaddy/kubernetes-external-secrets

Slide 33

Slide 33 text

Wrapping Up confidential @omerlh

Slide 34

Slide 34 text

Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes Community, Apache 2 license @omerlh Secret

Slide 35

Slide 35 text

Solutions Kubernetes Secret (?) Sealed Secret External Secret @omerlh Kamus

Slide 36

Slide 36 text

How do we keep a secrets? @omerlh

Slide 37

Slide 37 text

Thank You @omerlh