your (container) secret's safe with me
TRANSCRIPT
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Your secret’s safe with meLiz Rice
@LizRice | @AquaSecTeam
2
Secrets
@LizRice | @AquaSecTeam
Desirable attributes for secrets management
4
Secrets
@LizRice | @AquaSecTeam
Secrets
photo: Katie Tegtmeyer
■ Encrypted■ At rest and in transit■ Only decrypted in
memory
5
Secrets
@LizRice | @AquaSecTeam
Secrets
photo: James Case
■ Access control■ Only accessible by containers
that need them■ And users■ Write-only access
6
Secrets
@LizRice | @AquaSecTeam
Secrets
photo: Irena Jackson
■ Life-cycle■ Risk of leak increases over time■ Rotation, revocation, audit logging
Passing secrets to containers
8
Bad places for secrets
@LizRice | @AquaSecTeam
■ Source code
■ Dockerfiles / images
9
docker run -e VARNAME=secret ...
Environment variables
@LizRice | @AquaSecTeam
10
docker run -v /hostsecrets:/secrets ...
Mounted volume
@LizRice | @AquaSecTeam
Orchestrator support for secrets
12
Docker
@LizRice | @AquaSecTeam
■ Secrets support built in for Docker Swarm services■ Not standalone containers
■ Secret accessible when exposed to service■ Mounted to a temporary fs (not env vars)■ RBAC in Enterprise Edition
■ Rotation requires container restart
13
Docker
@LizRice | @AquaSecTeam
■ Encrypted in Raft log ■ Lock your Swarm!!■ Shared to Swarm managers■ External secrets stores coming
■ Encrypted transmission with mutual authentication
14
Kubernetes secrets
@LizRice | @AquaSecTeam
■ Secret configured in pod YAML■ Mounted as a volume or configured as env var■ Namespaced
15
Kubernetes secrets
@LizRice | @AquaSecTeam
■ Stored in etcd■ Make sure secrets are encrypted!■ --experimental-encryption-provider-config on API Server
16
Kubernetes secrets
@LizRice | @AquaSecTeam
kind: EncryptionConfigapiVersion: v1resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
17
Secrets all the way down
@LizRice | @AquaSecTeam
■ EncryptionConfig holds a secret key...
xkcd.com/1416
18
Kubernetes secrets access
@LizRice | @AquaSecTeam
■ RBAC can be turned on --authorization-mode=RBAC# This role binding allows "dave" to read secrets in the "development" namespace.kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace.subjects:- kind: User name: dave apiGroup: rbac.authorization.k8s.ioroleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io
19
DC/OS
@LizRice | @AquaSecTeam
■ Enterprise DC/OS ■ Plug-ins for Meson/Marathon
■ Encrypted in ZooKeeper■ Env vars■ Access control by service path■ Restart service to update value
20
Nomad
@LizRice | @AquaSecTeam
■ Integrated with Vault■ Tasks get tokens so they can retrieve values from Vault
■ Poll for changed values■ Access control
21
Aqua secrets
@LizRice | @AquaSecTeam
■ Any orchestrator■ Secret storage in 3rd party backend
■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...■ File system & env var support
■ Env vars injected into container process memory■ Secret can be injected to a tempfs filesystem■ Update secrets without restart of container■ Auditing of secret usage
■ Limit access to designated containers■ User access controls
Summary
23
Secrets
@LizRice | @AquaSecTeam
Secrets
photo: Iain Merchant
■ Your best option depends on ■ Orchestrator■ Acceptable level of risk
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
The Ultimate Guide to Secrets Management in Containers
tiny.cc/secrets
@LizRice | @AquaSecTeam