Hands-on with Vault on Kubernetes

Slide 1

Slide 1 text

Slide 2

Slide 2 text

▪ Anubhav Mishra (@build1point0) ▪ Rosemary Wang (@joatmon08) ▪ Developer Advocates from HashiCorp Your Facilitators 2

Slide 3

Slide 3 text

▪ Explain why Vault on Kubernetes ▪ Deploy a Vault cluster on Kubernetes. – Set up for high availability – Demonstrate (some) production hardening approaches ▪ Retrieve secrets from Vault for an application. – Dynamic retrieval – Native Kubernetes integrations Objectives 3

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Orchestrates, organizes, and manages containers. ▪ Resource Definitions extend the Kubernetes API ▪ Definitions specified in JSON or YAML ▪ Consists of master and node architecture What is Kubernetes? 5

Slide 6

Slide 6 text

Architecture 6

Slide 7

Slide 7 text

Pods are grouping of containers, volumes, and networking. Deployment maintains the desired number of application pods. StatefulSet provides sticky identity for pods that require some preservation of state. DaemonSet deploys a pod per node. Useful Constructs 7

Slide 8

Slide 8 text

Encoded but stored in plaintext, with little access control or management. Need a secrets manager. Options include: ▪ Public Cloud Key Management Service ▪ HashiCorp Vault Kubernetes Secrets 8

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Manages secrets & protect sensitive data. ▪ Secure, store, and control access ▪ For tokens, passwords, certiﬁcates, and encryption keys ▪ Has a UI, CLI, and HTTP API What is Vault? 10

Slide 11

Slide 11 text

Slide 12

Slide 12 text

▪ Alternative to plaintext secrets ▪ Distributed ▪ Declarative policies for access control ▪ Eases Vault cluster lifecycle management ▪ Manages secrets lifecycle (rotation, revocation) ▪ Can be sidecar for application (lower latency) Why on Kubernetes? 12

Slide 13

Slide 13 text

▪ Multi-tenancy? ▪ Container security measures? ▪ Manual vs. Automation Consider... 13

Slide 14

Slide 14 text

Slide 15

Slide 15 text

▪ Secret is anything used for authentication and authorization – Tokens – Passwords – Certiﬁcates ▪ Sensitive is anything that is conﬁdential – SSN, Credit Card, Email, PII, etc Secret 15

Slide 16

Slide 16 text

When starting, Vault is sealed. ▪ This keeps data encrypted with a master key. ▪ It’s split into shards using Shamir’s Secret Sharing algorithm. Seal 16

Slide 17

Slide 17 text

To retrieve secrets, we need to unseal Vault. ▪ This means reconstructing the master key. ▪ Needs enough shards in order to properly unseal. Unseal 17

Slide 18

Slide 18 text

We mitigate the attack surface with ephemerality. ▪ Data has Time to Live (TTL), listed in a lease. ▪ After TTL has expired… – Lessee must renew – OR Vault automatically revokes by invalidating secret Lease, Renew, & Revoke 18

Slide 19

Slide 19 text

Authenticates an identity. ▪ Can have dynamic tokens created from auth methods. ▪ One or more policies can be attached to tokens. ▪ There is a root token, the one token to rule them all. USE WITH CAUTION. Tokens 19

Slide 20

Slide 20 text

Declaratively grants or forbids access to paths and operations. Policies path "secret/*" { capabilities = ["create", "read", "update", "delete", "list"] } 20

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Material is mostly cloud provider agnostic. ▪ Need easy way to get (larger) Kubernetes clusters ▪ Variations in workstations = tough for workshops ▪ Auto-unseal requires key management service Credit to Seth Vargo’s workshop for Vault on GKE. Why are we using GCP? 22

Slide 23

Slide 23 text

Patterns in this workshop can be extended or dismissed. The material in this workshop requires additional work for complete production hardening (like process for revoking the root token.) Disclaimer 23

Slide 24

Slide 24 text

Go to https://console.cloud.google.com ▪ Google Cloud Platform account? ▪ Project with Owner access? ▪ Google Cloud Shell? Pre-Flight Checklist 24