12. 12
Docker
@LizRice | @AquaSecTeam
■ Secrets support built in for Docker Swarm services
■ Not standalone containers
■ Secret accessible when exposed to service
■ Mounted to a temporary fs (not env vars)
■ RBAC in Enterprise Edition
■ Rotation requires container restart
13. 13
Docker
@LizRice | @AquaSecTeam
■ Encrypted in Raft log
■ Lock your Swarm!!
■ Shared to Swarm managers
■ External secrets stores coming
■ Encrypted transmission with mutual
authentication
14. 14
Kubernetes secrets
@LizRice | @AquaSecTeam
■ Secret configured in pod YAML
■ Mounted as a volume or configured as env var
■ Namespaced
15. 15
Kubernetes secrets
@LizRice | @AquaSecTeam
■ Stored in etcd
■ Make sure secrets are encrypted!
■ --experimental-encryption-provider-config on API Server
17. 17
Secrets all the way down
@LizRice | @AquaSecTeam
■ EncryptionConfig holds a secret key...
xkcd.com/1416
18. 18
Kubernetes secrets access
@LizRice | @AquaSecTeam
■ RBAC can be turned on --authorization-mode=RBAC
# This role binding allows "dave" to read secrets in the "development" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: read-secrets
namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
name: dave
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
19. 19
DC/OS
@LizRice | @AquaSecTeam
■ Enterprise DC/OS
■ Plug-ins for Meson/Marathon
■ Encrypted in ZooKeeper
■ Env vars
■ Access control by service path
■ Restart service to update value
20. 20
Nomad
@LizRice | @AquaSecTeam
■ Integrated with Vault
■ Tasks get tokens so they can retrieve values from Vault
■ Poll for changed values
■ Access control
21. 21
Aqua secrets
@LizRice | @AquaSecTeam
■ Any orchestrator
■ Secret storage in 3rd party backend
■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...
■ File system & env var support
■ Env vars injected into container process memory
■ Secret can be injected to a tempfs filesystem
■ Update secrets without restart of container
■ Auditing of secret usage
■ Limit access to designated containers
■ User access controls
24. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
The Ultimate Guide to Secrets Management in Containers
tiny.cc/secrets
@LizRice | @AquaSecTeam