Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

Your secret’s safe with meLiz Rice

@LizRice | @AquaSecTeam

2

Secrets

@LizRice | @AquaSecTeam

Desirable attributes for secrets management

4

Secrets

@LizRice | @AquaSecTeam

Secrets

photo: Katie Tegtmeyer

■ Encrypted■ At rest and in transit■ Only decrypted in

memory

5

Secrets

@LizRice | @AquaSecTeam

Secrets

photo: James Case

■ Access control■ Only accessible by containers

that need them■ And users■ Write-only access

6

Secrets

@LizRice | @AquaSecTeam

Secrets

photo: Irena Jackson

■ Life-cycle■ Risk of leak increases over time■ Rotation, revocation, audit logging

Passing secrets to containers

8

Bad places for secrets

@LizRice | @AquaSecTeam

■ Source code

■ Dockerfiles / images

9

docker run -e VARNAME=secret ...

Environment variables

@LizRice | @AquaSecTeam

10

docker run -v /hostsecrets:/secrets ...

Mounted volume

@LizRice | @AquaSecTeam

Orchestrator support for secrets

12

Docker

@LizRice | @AquaSecTeam

■ Secrets support built in for Docker Swarm services■ Not standalone containers

■ Secret accessible when exposed to service■ Mounted to a temporary fs (not env vars)■ RBAC in Enterprise Edition

■ Rotation requires container restart

13

Docker

@LizRice | @AquaSecTeam

■ Encrypted in Raft log ■ Lock your Swarm!!■ Shared to Swarm managers■ External secrets stores coming

■ Encrypted transmission with mutual authentication

14

Kubernetes secrets

@LizRice | @AquaSecTeam

■ Secret configured in pod YAML■ Mounted as a volume or configured as env var■ Namespaced

15

Kubernetes secrets

@LizRice | @AquaSecTeam

■ Stored in etcd■ Make sure secrets are encrypted!■ --experimental-encryption-provider-config on API Server

16

Kubernetes secrets

@LizRice | @AquaSecTeam

kind: EncryptionConfigapiVersion: v1resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}

17

Secrets all the way down

@LizRice | @AquaSecTeam

■ EncryptionConfig holds a secret key...

xkcd.com/1416

18

Kubernetes secrets access

@LizRice | @AquaSecTeam

■ RBAC can be turned on --authorization-mode=RBAC# This role binding allows "dave" to read secrets in the "development" namespace.kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace.subjects:- kind: User name: dave apiGroup: rbac.authorization.k8s.ioroleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io

19

DC/OS

@LizRice | @AquaSecTeam

■ Enterprise DC/OS ■ Plug-ins for Meson/Marathon

■ Encrypted in ZooKeeper■ Env vars■ Access control by service path■ Restart service to update value

20

Nomad

@LizRice | @AquaSecTeam

■ Integrated with Vault■ Tasks get tokens so they can retrieve values from Vault

■ Poll for changed values■ Access control

21

Aqua secrets

@LizRice | @AquaSecTeam

■ Any orchestrator■ Secret storage in 3rd party backend

■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...■ File system & env var support

■ Env vars injected into container process memory■ Secret can be injected to a tempfs filesystem■ Update secrets without restart of container■ Auditing of secret usage

■ Limit access to designated containers■ User access controls

Summary

23

Secrets

@LizRice | @AquaSecTeam

Secrets

photo: Iain Merchant

■ Your best option depends on ■ Orchestrator■ Acceptable level of risk

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

The Ultimate Guide to Secrets Management in Containers

tiny.cc/secrets

@LizRice | @AquaSecTeam