SlideShare a Scribd company logo

Container secrets talk from DevSecCon

Download as PPTX, PDF
Liz Rice
Liz Rice

Your container secret's safe with me - a review of secret management from some popular orchestrators (and a glimpse into Aqua Security's capabilities for secrets)

Software
1 of 29
Join the conversation #DevSecCon Your (container) secret’s safe with me Liz Rice, Aqua Security @lizrice
2 Secrets @LizRice | @AquaSecTeam
3 Secrets @LizRice | @AquaSecTeam Secret store Cluster
Desirable attributes for secrets management
5 Secrets @LizRice | @AquaSecTeam Secrets photo: Katie Tegtmeyer ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory
6 Secrets @LizRice | @AquaSecTeam Secrets photo: James Case ■ Access control ■ Only accessible by containers that need them ■ And users ■ Write-only access
7 Secrets @LizRice | @AquaSecTeam Secrets photo: Irena Jackson ■ Life-cycle ■ Risk of leak increases over time ■ Rotation, revocation, audit logging
Passing secrets to containers
9 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images
10 docker run -e VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
11 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Environment variables @LizRice | @AquaSecTeam
12 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
13 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Mounted volume @LizRice | @AquaSecTeam
Orchestrator support for secrets
15 Docker @LizRice | @AquaSecTeam ■ Secrets support built in for Docker Swarm services ■ Not standalone containers ■ Encrypted transmission with mutual authentication ■ Secret accessible when exposed to service ■ Mounted to a temporary fs (not env vars) ■ RBAC in Enterprise Edition
16 Docker @LizRice | @AquaSecTeam ■ Encrypted in Raft log ■ Lock your Swarm!! ■ Shared to Swarm managers ■ Audit log with events ■ Rotation requires container restart & secret dance Encrypted ✓ Access control ✓ Life-cycle ?
17 Kubernetes secrets @LizRice | @AquaSecTeam ■ Secret configured in pod YAML ■ Namespaced ■ RBAC can be turned on --authorization-mode=RBAC ■ Files and env vars ■ Files support updating secret values ■ Need to restart pod to get new env var value
18 Kubernetes secrets @LizRice | @AquaSecTeam ■ Stored in etcd ■ Make sure secrets are encrypted! ■ --experimental-encryption-provider-config on API Server Encrypted ? Access control ✓ Life-cycle ✓
19 Kubernetes secrets @LizRice | @AquaSecTeam kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
20 Secrets all the way down @LizRice | @AquaSecTeam ■ EncryptionConfig holds a secret key... xkcd.com/1416
21 DC/OS @LizRice | @AquaSecTeam ■ Enterprise DC/OS ■ Plug-ins for Mesos/Marathon ■ Encrypted in ZooKeeper ■ Env vars ■ Access control by service path ■ Restart service to update value Encrypted ✓ Access control ✓ Life-cycle ?
22 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Use production mode ■ Encryption & security primitives
23 Nomad @LizRice | @AquaSecTeam ■ Secrets passed as files ■ Nomad takes care of interactions with Vault ■ Tasks get tokens so they can retrieve values ■ Poll for changed values ■ Access control ■ Audit logging Encrypted ✓ Access control ✓ Life-cycle ✓
24 Aqua secrets & external store @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secret storage in 3rd party backend ■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...
25 Aqua secrets & external store @LizRice | @AquaSecTeam ■ File system & env var support ■ Update secrets without container restart ■ No env var leak through inspect or /proc ■ Auditing of secret usage ■ User & container access control Encrypted ✓ Access control ✓ Life-cycle ✓
Summary
27 Secrets @LizRice | @AquaSecTeam Secrets photo: Iain Merchant ■ Access secrets at runtime ■ Not built in ■ Rotate secrets ■ Your best option depends on ■ Orchestrator ■ Acceptable level of risk
Join the conversation #DevSecCon The Ultimate Guide to Secrets Management in Containers tiny.cc/secrets @LizRice | @AquaSecTeam
29 Kubernetes secrets access @LizRice | @AquaSecTeam ■ RBAC can be turned on --authorization-mode=RBAC # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io

Recommended

Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me Liz Rice
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meLiz Rice
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 

Recommended

Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me Liz Rice
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meLiz Rice
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon HashiCorp User Group
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in KubernetesThomas Fricke
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Outlyer
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor KhoroshchenkoKuberton
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginxSidhartha Mani
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleSidhartha Mani
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...Aqua Security
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OSJosef Adersberger
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
BRISK_Network_Pentest_
BRISK_Network_Pentest_BRISK_Network_Pentest_
BRISK_Network_Pentest_BriskInfosec Solutions
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meAqua Security
 
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeContainers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeAppDynamics
 

More Related Content

What's hot

London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon HashiCorp User Group
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in KubernetesThomas Fricke
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Outlyer
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor KhoroshchenkoKuberton
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginxSidhartha Mani
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleSidhartha Mani
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...Aqua Security
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 

What's hot (20)

London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in Kubernetes
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginx
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at Scale
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OS
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
 
BRISK_Network_Pentest_
BRISK_Network_Pentest_BRISK_Network_Pentest_
BRISK_Network_Pentest_
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for Containers
 
Container Security
Container SecurityContainer Security
Container Security
 

Similar to Container secrets talk from DevSecCon

Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meAqua Security
 
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeContainers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeAppDynamics
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
Caching reboot: javax.cache & Ehcache 3
Caching reboot: javax.cache & Ehcache 3Caching reboot: javax.cache & Ehcache 3
Caching reboot: javax.cache & Ehcache 3Louis Jacomet
 
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on AzureDocker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on AzurePatrick Chanezon
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmWei-Ting Kuo
 
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure Patrick Chanezon
 
Discover some "Big Data" architectural concepts with Redis
Discover some "Big Data" architectural concepts with Redis Discover some "Big Data" architectural concepts with Redis
Discover some "Big Data" architectural concepts with Redis Maturin BADO
 
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleMonitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleAlessandro Gallotta
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
(DAT407) Amazon ElastiCache: Deep Dive
(DAT407) Amazon ElastiCache: Deep Dive(DAT407) Amazon ElastiCache: Deep Dive
(DAT407) Amazon ElastiCache: Deep DiveAmazon Web Services
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
The Concierge Paradigm
The Concierge ParadigmThe Concierge Paradigm
The Concierge ParadigmGareth Brown
 
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on AzureDevoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on AzurePatrick Chanezon
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyAlfredo García Lavilla
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 

Similar to Container secrets talk from DevSecCon (20)

Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
 
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeContainers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
Caching reboot: javax.cache & Ehcache 3
Caching reboot: javax.cache & Ehcache 3Caching reboot: javax.cache & Ehcache 3
Caching reboot: javax.cache & Ehcache 3
 
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on AzureDocker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarm
 
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
 
Discover some "Big Data" architectural concepts with Redis
Discover some "Big Data" architectural concepts with Redis Discover some "Big Data" architectural concepts with Redis
Discover some "Big Data" architectural concepts with Redis
 
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleMonitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
 
(DAT407) Amazon ElastiCache: Deep Dive
(DAT407) Amazon ElastiCache: Deep Dive(DAT407) Amazon ElastiCache: Deep Dive
(DAT407) Amazon ElastiCache: Deep Dive
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
The Concierge Paradigm
The Concierge ParadigmThe Concierge Paradigm
The Concierge Paradigm
 
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on AzureDevoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made Easy
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 

More from Liz Rice

The maths behind microscaling
The maths behind microscalingThe maths behind microscaling
The maths behind microscalingLiz Rice
 
Game of Hosts - Containers, VMs and Microscaling
Game of Hosts - Containers, VMs and MicroscalingGame of Hosts - Containers, VMs and Microscaling
Game of Hosts - Containers, VMs and MicroscalingLiz Rice
 
How to build a personalized interface for VOD
How to build a personalized interface for VODHow to build a personalized interface for VOD
How to build a personalized interface for VODLiz Rice
 
Tank Top TV - Netflix viewing data
Tank Top TV - Netflix viewing dataTank Top TV - Netflix viewing data
Tank Top TV - Netflix viewing dataLiz Rice
 
Killing the TV time grid
Killing the TV time gridKilling the TV time grid
Killing the TV time gridLiz Rice
 

More from Liz Rice (7)

The maths behind microscaling
The maths behind microscalingThe maths behind microscaling
The maths behind microscaling
 
Game of Hosts - Containers, VMs and Microscaling
Game of Hosts - Containers, VMs and MicroscalingGame of Hosts - Containers, VMs and Microscaling
Game of Hosts - Containers, VMs and Microscaling
 
How to build a personalized interface for VOD
How to build a personalized interface for VODHow to build a personalized interface for VOD
How to build a personalized interface for VOD
 
Tank Top TV - Netflix viewing data
Tank Top TV - Netflix viewing dataTank Top TV - Netflix viewing data
Tank Top TV - Netflix viewing data
 
Killing the TV time grid
Killing the TV time gridKilling the TV time grid
Killing the TV time grid
 
Cadbury
CadburyCadbury
Cadbury
 
Beatz
BeatzBeatz
Beatz
 

Recently uploaded

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 

Recently uploaded (20)

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 

Container secrets talk from DevSecCon

  • 1. Join the conversation #DevSecCon Your (container) secret’s safe with me Liz Rice, Aqua Security @lizrice
  • 4. Desirable attributes for secrets management
  • 5. 5 Secrets @LizRice | @AquaSecTeam Secrets photo: Katie Tegtmeyer ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory
  • 6. 6 Secrets @LizRice | @AquaSecTeam Secrets photo: James Case ■ Access control ■ Only accessible by containers that need them ■ And users ■ Write-only access
  • 7. 7 Secrets @LizRice | @AquaSecTeam Secrets photo: Irena Jackson ■ Life-cycle ■ Risk of leak increases over time ■ Rotation, revocation, audit logging
  • 8. Passing secrets to containers
  • 9. 9 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images
  • 10. 10 docker run -e VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
  • 11. 11 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Environment variables @LizRice | @AquaSecTeam
  • 12. 12 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
  • 13. 13 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Mounted volume @LizRice | @AquaSecTeam
  • 15. 15 Docker @LizRice | @AquaSecTeam ■ Secrets support built in for Docker Swarm services ■ Not standalone containers ■ Encrypted transmission with mutual authentication ■ Secret accessible when exposed to service ■ Mounted to a temporary fs (not env vars) ■ RBAC in Enterprise Edition
  • 16. 16 Docker @LizRice | @AquaSecTeam ■ Encrypted in Raft log ■ Lock your Swarm!! ■ Shared to Swarm managers ■ Audit log with events ■ Rotation requires container restart & secret dance Encrypted ✓ Access control ✓ Life-cycle ?
  • 17. 17 Kubernetes secrets @LizRice | @AquaSecTeam ■ Secret configured in pod YAML ■ Namespaced ■ RBAC can be turned on --authorization-mode=RBAC ■ Files and env vars ■ Files support updating secret values ■ Need to restart pod to get new env var value
  • 18. 18 Kubernetes secrets @LizRice | @AquaSecTeam ■ Stored in etcd ■ Make sure secrets are encrypted! ■ --experimental-encryption-provider-config on API Server Encrypted ? Access control ✓ Life-cycle ✓
  • 19. 19 Kubernetes secrets @LizRice | @AquaSecTeam kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
  • 20. 20 Secrets all the way down @LizRice | @AquaSecTeam ■ EncryptionConfig holds a secret key... xkcd.com/1416
  • 21. 21 DC/OS @LizRice | @AquaSecTeam ■ Enterprise DC/OS ■ Plug-ins for Mesos/Marathon ■ Encrypted in ZooKeeper ■ Env vars ■ Access control by service path ■ Restart service to update value Encrypted ✓ Access control ✓ Life-cycle ?
  • 22. 22 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Use production mode ■ Encryption & security primitives
  • 23. 23 Nomad @LizRice | @AquaSecTeam ■ Secrets passed as files ■ Nomad takes care of interactions with Vault ■ Tasks get tokens so they can retrieve values ■ Poll for changed values ■ Access control ■ Audit logging Encrypted ✓ Access control ✓ Life-cycle ✓
  • 24. 24 Aqua secrets & external store @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secret storage in 3rd party backend ■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...
  • 25. 25 Aqua secrets & external store @LizRice | @AquaSecTeam ■ File system & env var support ■ Update secrets without container restart ■ No env var leak through inspect or /proc ■ Auditing of secret usage ■ User & container access control Encrypted ✓ Access control ✓ Life-cycle ✓
  • 27. 27 Secrets @LizRice | @AquaSecTeam Secrets photo: Iain Merchant ■ Access secrets at runtime ■ Not built in ■ Rotate secrets ■ Your best option depends on ■ Orchestrator ■ Acceptable level of risk
  • 28. Join the conversation #DevSecCon The Ultimate Guide to Secrets Management in Containers tiny.cc/secrets @LizRice | @AquaSecTeam
  • 29. 29 Kubernetes secrets access @LizRice | @AquaSecTeam ■ RBAC can be turned on --authorization-mode=RBAC # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io