Sharing Secrets in a Container World

Transcript

1. Sharing Secrets in a Container World Chapter 2: Custodia Christian

   Heimes / Pavel Odvody DevConf.CZ 2017

2. Sharing secrts in a Container World, DevConf.CZ 2017 Agenda 2

   • Introduction • Design of Custodia • Custodia for Containers • Integration examples • Future interoperability • Questions

3. Sharing secrts in a Container World, DevConf.CZ 2017 Secrets are

   toxic and radioactive! 3

4. Meet Custodia

5. Sharing secrts in a Container World, DevConf.CZ 2017 Custodia 5

   Definition according to wiktionary Latin • protection, safekeeping • custody, guardianship English • care (concern, responsibility) • pyx (box) ◦ housing of a ship’s compass ◦ container for consecrated bread

6. Sharing secrts in a Container World, DevConf.CZ 2017 What is

   Custodia? 6 • Technology (not yet a product) • Secrets-as-a-Service API ◦ Existing solutions push secrets to client ◦ Actively request secrets from a service • Secrets transport and routing layer definition • Pluggable authentication and authorization • Reference implementation in Python

7. Sharing secrts in a Container World, DevConf.CZ 2017 What is

   Custodia not? 7 • Custodia is not intended to replace CoreOS etcd, OpenStack, Barbican, Hashicorp Vault etc. • Custodia is not a secrets storage server ◦ adapter to existing solutions • Custodia is not limited to containers • Custodia is not just a proof of concept used in FreeIPA / Red Hat IdM

8. Design

9. Sharing secrts in a Container World, DevConf.CZ 2017 Threat analysis

   results 9 • No secrets on the file system ◦ config files, tempfs, /proc/PID/environ • Strong encryption at rest and in transit • End-to-end encryption • Reduce access and exposure • Audit logs • Key rotation PCI-DSS compliance

10. Sharing secrts in a Container World, DevConf.CZ 2017 Design principles

    10 • Applications request secrets (active pull) • Use standard protocols and data formats • Make it easy to write clients, servers, and plugins • Simple integration • Flexible (authentication, authorization, storage) • Extensible: Generate secrets on demand Network HSM Notification API

11. Sharing secrts in a Container World, DevConf.CZ 2017 Building blocks

    11 • HTTP REST API HTTPS, HTTP over Unix socket • JSON optionally JOSE for key encapsulation • Storage layer abstraction FreeIPA Vault, sqlite, etcd, encrypted overlay • Pluggable authentication and authorization GSSAPI, TLS client certs, SO_PEERSEC/CRED • Transparent routing and forwarding based on URL Load balancing, separation of tenants

12. Sharing secrts in a Container World, DevConf.CZ 2017 Benefits 12

    • Simple interface for developers (API) • Decoupled layers give flexibility • Configuration and policies are moved to infrastructure Let ops take care of secrets • Vendor agnostic management and storage Standardization in progress!

13. Custodia for containers

14. Sharing secrts in a Container World, DevConf.CZ 2017 14 Authentication?

15. Sharing secrts in a Container World, DevConf.CZ 2017 15 Authentication?

    Let’s inject a secret token into every container! ...not

16. Sharing secrts in a Container World, DevConf.CZ 2017 CURL your

    secrets 16 $ curl \ --unix-socket /var/run/custodia.sock \ http://localhost/secrets/container/key {"type":"simple","value":"secret value"}

17. Sharing secrts in a Container World, DevConf.CZ 2017 Unix sockets

    to the rescue! 17 • Run Custodia in host PID namespace • Mount Unix socket into containers • getsockopt() SO_PEERCRED PID, effective UID, effective GID • getsockopt() SO_PEERSEC SELinux process label (sVirt) • /proc/PID/cgroup Get Docker container ID • Ask Docker daemon Metadata (Kubernetes pod definition) • Future: Introduce a proper API (auditd container id?) Dangerous Hack!

18. Sharing secrts in a Container World, DevConf.CZ 2017 Kubernetes master

    Architecture diagram 18 Container Custodia Application Application Custodia Custodia Key Store Key Store Key Store Key Store Key Store Integration on the system over a local socket • host • kubelet • VM

19. Sharing secrts in a Container World, DevConf.CZ 2017 Delegation –

    ‘software HSM’ 19 • digest auth • PKCS#11 • ssh-agent • gpg-agent

20. Integration

21. Sharing secrts in a Container World, DevConf.CZ 2017 Config parser

    integration 21 • INI parser • YAML parser user = client password = ${CUSTODIA:container/key} user: client password: !custodia container/key

22. Sharing secrts in a Container World, DevConf.CZ 2017 Docker credential

    store 22 docker command docker-store-custodia Custodia daemon calls connects over Unix socket $ cat > ~/.docker/config.json << EOF {"credsStore": "custodia"} EOF Fetch secret

23. Sharing secrts in a Container World, DevConf.CZ 2017 Legacy support:

    Kubernetes env vars 23 spec: containers: - name: myapp commmand: - /bin/myapp env: - name: PASSWORD valueFrom: secretKeyRef: name: appsecret key: password volume: - name: appsecret secret: ... spec: containers: - name: myapp commmand: - /var/run/custodia/gustodia - /bin/myapp env: - name: SECRET_PASSWORD value: myapp/password volume: - name: custodia hostPath: ...

24. Sharing secrts in a Container World, DevConf.CZ 2017 Custodia integration

    plans 24 • Java Keystore provider (java.security.KeyStore) • SecretService / libsecret provider Gnome / KDE keyring API for system DBUS on servers • OpenStack oslo.config • PKCS #11 / PKCS #12 provider Private keys for OpenSSL (Apache mod_ssl), SSH... • Ansible Tower • CloudForms

25. Sharing secrts in a Container World, DevConf.CZ 2017 Storage: FreeIPA

    Vault & Dogtag PKI 25 • Dogtag PKI KRA (key recovery agent) • LDAP storage with 389-DS master-master replication and replication topology • Encrypted in transit and on disk optional support for HSM (hardware security module) • GSSAPI / Kerberos authentication • Central access control (e.g. HBAC) • Signed, tamper-proof audit log

26. Sharing secrts in a Container World, DevConf.CZ 2017 Questions? 26

    • https://github.com/latchset/custodia • https://github.com/latchset (plugins, demos, and more) • https://custodia.readthedocs.io/ • Christian Heimes <[email protected]> @ChristianHeimes • Simo Sorce <[email protected]>

27. THANK YOU plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews