Kubernetes and Vault@ipedrazas

Sense and

Sensibility

Secret vs Sensitive

it’s not about security, it’s about perception.

What is Kubernetes

Kubernetes is an open-source system for automating deployment, operations, and

scaling of containerized applications.

Kubernetes automates

deployment,

operations,

and scaling of applications.

PodsReplica SetsServicesSecretsNamespacesDeploymentsDaemonSetsJobs...

Pods: Groups of containers - Share IP and FS

Replica Sets: Controls Number of pods

Services: Access to Pods

Why Vault?

● How do Applications get Secrets?● How do Operators and Developers get Secrets?● How do secrets get Renewed? Updated? Expired? Revoked?● How do we block access to secrets?

Vault provides● Single Source for Secrets● Access via API● Access via cli● Leasing, renewal and revocation● Auditing● ACLs● Multiple client authentication methods● Secure Secret Storage

Vault Concepts

● Auth Backends○ Tokens○ Ldap○ AppId○ Github

● Secret Backends○ PKI○ AWS○ Postgres○ ssh○ ...

...

But… wait!

Kubernetes has SECRETS!

WHY DO YOU NEED BOTH?????

It’s about people!

Ivan

I like to make things

design

make

build

fix

@ipedrazas

DevOps @ Sendachi / Contino

What are we going to see tonight?

Thing is… when building something...

Quality is not only how good it is,

it’s how usable it is

Secrets

The problem is not how to separate

Applications & Secrets

The problem is how to manage them...

SEPARATELY

Storing

Managing

Renewing

Secrets...

Process, anyone?

The process says CLEARLY… DO NOT COMMIT SECRETS

Next slide contains the secret demo

MongoDB Example● RC with 2 containers

○ MongoDB container: vanilla mongo with AUTH and SSL flags○ Vault-sidekick container: in charge of fetching/renewing SSL certs

1. A container runs your application2. A container fetches your secrets from Vault.

Application - POD

This is what you should do1. Create a policy for your app2. Create a Kubernetes namespace for your app3. Create a Kubernetes secret with your Vault token4. Add your secrets to Vault5. Pod starts

a. Secrets are mountedb. Pod reads vault tokenc. Pod access vault to get secretsd. Pod is ready

THEORY

We can only see a short distance ahead, but we can see plenty that needs to be done.

- Alan Turing

Lessons Learned● Vault is young… not ready for fully automation● Deploys

○ Separating secrets and apps is great○ Make sure your process contemplates Vault

● Backends: consul, dynamo, etcd, s3...○ what happens if you lose Vault?○ latency/partitions

● Managing SSL is great but…○ Be Careful with Root CAs

QUESTIONS?