SlideShare a Scribd company logo

Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernetes desde 2017.pdf

A
Alfredo García Lavilla

This document discusses Kubernetes Secrets and the Sealed Secrets open source project. It begins with an overview of Kubernetes Secrets and common issues. It then covers the history, architecture, and basic workflow of Sealed Secrets. Key metrics about the popularity and usage of Sealed Secrets are provided. Advanced features are described along with best practices for secret management. The presentation concludes with a recommendation to favor simple secret approaches and automate processes.

Technology
1 of 26
Download to read offline
Sealed Secrets: protegiendo tus Secretos de Kubernetes desde 2017 José Luis Vázquez González Alfredo García
Agenda Kubernetes Secrets Models & Common issues Sealed Secrets OSS History, OSS project, philosophy, GitOps, Architecture & base use case Basic flow & Advanced Sealed Secrets features Use cases & best practices Demo time Beyond Sealed Secret
3 Sealed Secrets maintainers Meet the team! Alejandro Moreno github.com/alemorcuq Alfredo García github.com/agarcia-oss José Luis Vázquez github.com/josvazg Alvaro Neira github.com/alvneiayu Harsh Sharma Nisha Kumari github.com/harshshar ma071988 github.com/Nisha-kumari
Kubernetes Secrets Models & Common Issues
5 Kubernetes Secrets How do they look like? Kubernetes Secrets are native Resource Definitions designed to hold secret data. But they are not encrypted, they need to be ready to be consumed by Pods.
6 Kubernetes Secrets And then you encrypted them… right?
7 Kubernetes Secrets Types Secret Type Use case Opaque Arbitrary user-defined secrets, as in previous example. kubernetes.io/service-account-token ServiceAccount token kubernetes.io/dockercfg Serialized ~/.dockercfg file kubernetes.io/dockerconfigjson Serialized ~/.docker/config.json file kubernetes.io/basic-auth Credentials for basic authentication kubernetes.io/ssh-auth Credentials for SSH authentication kubernetes.io/tls Data for a TLS client or server bootstrap.kubernetes.io/token Bootstrap token data
8 Secret Management Options Different models and tradeoffs Native Kubernetes Secrets KMS systems Sealed Secrets Hybrid models
Sealed Secrets OSS Backstory & Status of the Open Source Project
10 15+ years building and maintaining software packages Bitnami is a Catalog of Free Open-Source Software Local Cloud Data Center Over 180 applications, components, frameworks, templates, and more, including… Any Environment Any Format Any Platform Virtual Machines Containers Deployment Templates
11 We were there… Pioneering from installers to Cloud Native 2003 2008 2012 2015 2017 …when software was growing … when amazon was just a bookstore ... when clouds were forming … when containers were just for devs … when Kubernetes was plain hard
12 Sealed Secrets as an OSS project Main features Sealed Secrets CLI (kubeseal) to seal Kubernetes Secrets. The Sealed Secrets controller unseals Sealed Secrets into their equivalent Kubernetes Secrets. Sealed Secrets can be stored safely in the code repository, next to the rest of deployment configuration. Kubeseal - CLI tool Kubernetes controller Code repository Sealed Secrets: Simple, safe & popular GitOps flow for secrets with 3 components:
13 Key metrics Sealed Secrets as an OSS project 6.1K GitHub stars 80M monthly downloads +10K OSS projects using Sealed Secrets 702 Pull Requests 389 solved issues
14 Sealed Secrets as an OSS project More metrics… Sealed Secrets is downloaded 20x times more often than other key applications on the security ecosystem. More metrics
15 Sealed Secrets as an OSS project Domain Monthly downloads % of total downloads microsoft.com 22,122,490 47.98% google.com 17,605,812 38.18% amazon.com 3,459,777 7.54% 21vbluecloud.com 605,663 1.31% monaco-telecom.mc 480,258 1.04% beeksfinancialcloud.com 279,665 0.66% pulsepoint.com 269,564 0.58% huaweicloud.com 234,600 0.50% softlayer.com 169,501 0.36% digitalocean.com 137,255 0.29%
16 Sealed Secrets as an OSS project
Basic flow & Advanced Sealed Secrets features Use cases & best practices
18 Sealed Secrets Basic flow How it works kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
19 Secret management best practices General advice Rotate Secrets Remember to rotate your secrets often, so not need to worry about re-sealing them. Least privilege Follow the least privilege principle on secret access, reduce blast radius. Don't leak your keys Don't leak your keys, the less you share or copy them around the better.
20 Key Management Under the hood kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller Older TLS Sealing Secret TLS Sealing Secret Kubernetes cluster etcd node Create Keep ● Key pairs are plain TLS secrets named sealed-secrets-... ○ They are managed by Sealed Secrets so you don't need to. Certificate / pub key
21 Sometimes, defaults don't cut it or something doesn't go as planned Compromised unseal key You must move the controller to a new sealing keypair. Then rotate your secrets, they are also compromised. Taking over secrets You can annotate sealed secrets to control existing secrets. Updating secrets kubeseal allows you to update or append sealed secrets keys. Offline certs By default kubeseal uses the latest cluster sealing certificate for you. But you can set a certificate to be used offline, if you really need to. Advanced features Use as needed
22 It might be difficult to realize how simple and safe the basic flow is… …Until you compare with other flows enabled by advanced features or options. Scoping Secrets are sealed for a particular secret name and namespace by default. Relaxing scoping means cluster neighbours can take a peek. Re-sealing Sealing keys are renovated every 30 days by default, but old keys are kept. But you can reseal the same secret again with the newer sealing key, if needed. Still why would you need it if you were rotating your secrets as you should? Sealing keys are just secrets You can manage them on the side, but should you? Advanced features Use with caution!
Demo time!
Beyond Sealed Secrets
25 Standalone Sealed Secrets is good, with GitOps friends is even better! The best practice with Sealed secrets is to stick to its default flow. Favour simple approaches Automate Everything Beyond Sealed Secrets Parting words kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
github.com/bitnami-labs/sealed-secrets

Recommended

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyAlfredo García Lavilla
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed SecretsKnoldus Inc.
 
Kubernetes Sealed secrets
Kubernetes Sealed secretsKubernetes Sealed secrets
Kubernetes Sealed secretsSebastien Goasguen
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationKnoldus Inc.
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 

Recommended

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyAlfredo García Lavilla
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed SecretsKnoldus Inc.
 
Kubernetes Sealed secrets
Kubernetes Sealed secretsKubernetes Sealed secrets
Kubernetes Sealed secretsSebastien Goasguen
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationKnoldus Inc.
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWSKasun Madura Rathnayaka
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Prasta Maha
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesJames Anderson
 
SHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSSHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSNETUserGroupBern
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessAkeyless
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesQvik
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Kubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelKubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelOVHcloud
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Secrets acrosscloudk8s
Secrets acrosscloudk8sSecrets acrosscloudk8s
Secrets acrosscloudk8sJhonnatan Gil
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 

More Related Content

Similar to Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernetes desde 2017.pdf

Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiRita Zhang
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Prasta Maha
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesJames Anderson
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessAkeyless
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesQvik
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Kubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelKubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelOVHcloud
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Secrets acrosscloudk8s
Secrets acrosscloudk8sSecrets acrosscloudk8s
Secrets acrosscloudk8sJhonnatan Gil
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 

Similar to Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernetes desde 2017.pdf (20)

Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Kubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csiKubecon 2019_eu-k8s-secrets-csi
Kubecon 2019_eu-k8s-secrets-csi
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
Kubernetes & Cloud Native Indonesia X BukaMeetup - Feb 2023
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
 
SHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSSHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPS
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
Kubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next levelKubernetes 201: Taking your Managed Kubernetes service to the next level
Kubernetes 201: Taking your Managed Kubernetes service to the next level
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
 
Secrets acrosscloudk8s
Secrets acrosscloudk8sSecrets acrosscloudk8s
Secrets acrosscloudk8s
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform EngineeringJemma Hussein Allen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 

Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernetes desde 2017.pdf

  • 1. Sealed Secrets: protegiendo tus Secretos de Kubernetes desde 2017 José Luis Vázquez González Alfredo García
  • 2. Agenda Kubernetes Secrets Models & Common issues Sealed Secrets OSS History, OSS project, philosophy, GitOps, Architecture & base use case Basic flow & Advanced Sealed Secrets features Use cases & best practices Demo time Beyond Sealed Secret
  • 3. 3 Sealed Secrets maintainers Meet the team! Alejandro Moreno github.com/alemorcuq Alfredo García github.com/agarcia-oss José Luis Vázquez github.com/josvazg Alvaro Neira github.com/alvneiayu Harsh Sharma Nisha Kumari github.com/harshshar ma071988 github.com/Nisha-kumari
  • 5. 5 Kubernetes Secrets How do they look like? Kubernetes Secrets are native Resource Definitions designed to hold secret data. But they are not encrypted, they need to be ready to be consumed by Pods.
  • 6. 6 Kubernetes Secrets And then you encrypted them… right?
  • 7. 7 Kubernetes Secrets Types Secret Type Use case Opaque Arbitrary user-defined secrets, as in previous example. kubernetes.io/service-account-token ServiceAccount token kubernetes.io/dockercfg Serialized ~/.dockercfg file kubernetes.io/dockerconfigjson Serialized ~/.docker/config.json file kubernetes.io/basic-auth Credentials for basic authentication kubernetes.io/ssh-auth Credentials for SSH authentication kubernetes.io/tls Data for a TLS client or server bootstrap.kubernetes.io/token Bootstrap token data
  • 8. 8 Secret Management Options Different models and tradeoffs Native Kubernetes Secrets KMS systems Sealed Secrets Hybrid models
  • 9. Sealed Secrets OSS Backstory & Status of the Open Source Project
  • 10. 10 15+ years building and maintaining software packages Bitnami is a Catalog of Free Open-Source Software Local Cloud Data Center Over 180 applications, components, frameworks, templates, and more, including… Any Environment Any Format Any Platform Virtual Machines Containers Deployment Templates
  • 11. 11 We were there… Pioneering from installers to Cloud Native 2003 2008 2012 2015 2017 …when software was growing … when amazon was just a bookstore ... when clouds were forming … when containers were just for devs … when Kubernetes was plain hard
  • 12. 12 Sealed Secrets as an OSS project Main features Sealed Secrets CLI (kubeseal) to seal Kubernetes Secrets. The Sealed Secrets controller unseals Sealed Secrets into their equivalent Kubernetes Secrets. Sealed Secrets can be stored safely in the code repository, next to the rest of deployment configuration. Kubeseal - CLI tool Kubernetes controller Code repository Sealed Secrets: Simple, safe & popular GitOps flow for secrets with 3 components:
  • 13. 13 Key metrics Sealed Secrets as an OSS project 6.1K GitHub stars 80M monthly downloads +10K OSS projects using Sealed Secrets 702 Pull Requests 389 solved issues
  • 14. 14 Sealed Secrets as an OSS project More metrics… Sealed Secrets is downloaded 20x times more often than other key applications on the security ecosystem. More metrics
  • 15. 15 Sealed Secrets as an OSS project Domain Monthly downloads % of total downloads microsoft.com 22,122,490 47.98% google.com 17,605,812 38.18% amazon.com 3,459,777 7.54% 21vbluecloud.com 605,663 1.31% monaco-telecom.mc 480,258 1.04% beeksfinancialcloud.com 279,665 0.66% pulsepoint.com 269,564 0.58% huaweicloud.com 234,600 0.50% softlayer.com 169,501 0.36% digitalocean.com 137,255 0.29%
  • 16. 16 Sealed Secrets as an OSS project
  • 17. Basic flow & Advanced Sealed Secrets features Use cases & best practices
  • 18. 18 Sealed Secrets Basic flow How it works kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret
  • 19. 19 Secret management best practices General advice Rotate Secrets Remember to rotate your secrets often, so not need to worry about re-sealing them. Least privilege Follow the least privilege principle on secret access, reduce blast radius. Don't leak your keys Don't leak your keys, the less you share or copy them around the better.
  • 20. 20 Key Management Under the hood kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller Older TLS Sealing Secret TLS Sealing Secret Kubernetes cluster etcd node Create Keep ● Key pairs are plain TLS secrets named sealed-secrets-... ○ They are managed by Sealed Secrets so you don't need to. Certificate / pub key
  • 21. 21 Sometimes, defaults don't cut it or something doesn't go as planned Compromised unseal key You must move the controller to a new sealing keypair. Then rotate your secrets, they are also compromised. Taking over secrets You can annotate sealed secrets to control existing secrets. Updating secrets kubeseal allows you to update or append sealed secrets keys. Offline certs By default kubeseal uses the latest cluster sealing certificate for you. But you can set a certificate to be used offline, if you really need to. Advanced features Use as needed
  • 22. 22 It might be difficult to realize how simple and safe the basic flow is… …Until you compare with other flows enabled by advanced features or options. Scoping Secrets are sealed for a particular secret name and namespace by default. Relaxing scoping means cluster neighbours can take a peek. Re-sealing Sealing keys are renovated every 30 days by default, but old keys are kept. But you can reseal the same secret again with the newer sealing key, if needed. Still why would you need it if you were rotating your secrets as you should? Sealing keys are just secrets You can manage them on the side, but should you? Advanced features Use with caution!
  • 25. 25 Standalone Sealed Secrets is good, with GitOps friends is even better! The best practice with Sealed secrets is to stick to its default flow. Favour simple approaches Automate Everything Beyond Sealed Secrets Parting words kubeseal ${SECRET} Sealed Secret Git sealed-secrets controller kube-apiserver Sealed Secret Secret Kubernetes cluster etcd node kubectl apply Detect Sealed Secrets Decrypt Secret