Your (container) secret's safe with me

•

1 j'aime•818 vues

Liz Rice

Managing secrets in a containerized deployments. As seen at ContainerCamp London September 2017

Logiciels

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Your secret’s safe with me
Liz Rice
@LizRice | @AquaSecTeam

Desirable attributes for secrets management

4
Secrets
@LizRice | @AquaSecTeam
Secrets
photo: Katie Tegtmeyer
■ Encrypted
■ At rest and in transit
■ Only decrypted in
memory

5
Secrets
@LizRice | @AquaSecTeam
Secrets
photo: James Case
■ Access control
■ Only accessible by containers
that need them
■ And users
■ Write-only access

6
Secrets
@LizRice | @AquaSecTeam
Secrets
photo: Irena Jackson
■ Life-cycle
■ Risk of leak increases over time
■ Rotation, revocation, audit logging

8
Bad places for secrets
@LizRice | @AquaSecTeam
■ Source code
■ Dockerfiles / images

9
docker run -e VARNAME=secret ...
Environment variables
@LizRice | @AquaSecTeam

10
docker run -v /hostsecrets:/secrets ...
Mounted volume
@LizRice | @AquaSecTeam

12
Docker
@LizRice | @AquaSecTeam
■ Secrets support built in for Docker Swarm services
■ Not standalone containers
■ Secret accessible when exposed to service
■ Mounted to a temporary fs (not env vars)
■ RBAC in Enterprise Edition
■ Rotation requires container restart

13
Docker
@LizRice | @AquaSecTeam
■ Encrypted in Raft log
■ Lock your Swarm!!
■ Shared to Swarm managers
■ External secrets stores coming
■ Encrypted transmission with mutual
authentication

14
Kubernetes secrets
@LizRice | @AquaSecTeam
■ Secret configured in pod YAML
■ Mounted as a volume or configured as env var
■ Namespaced

15
Kubernetes secrets
@LizRice | @AquaSecTeam
■ Stored in etcd
■ Make sure secrets are encrypted!
■ --experimental-encryption-provider-config on API Server

16
Kubernetes secrets
@LizRice | @AquaSecTeam
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo=
- identity: {}

17
Secrets all the way down
@LizRice | @AquaSecTeam
■ EncryptionConfig holds a secret key...
xkcd.com/1416

18
Kubernetes secrets access
@LizRice | @AquaSecTeam
■ RBAC can be turned on --authorization-mode=RBAC
# This role binding allows "dave" to read secrets in the "development" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: read-secrets
namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
name: dave
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io

19
DC/OS
@LizRice | @AquaSecTeam
■ Enterprise DC/OS
■ Plug-ins for Meson/Marathon
■ Encrypted in ZooKeeper
■ Env vars
■ Access control by service path
■ Restart service to update value

20
Nomad
@LizRice | @AquaSecTeam
■ Integrated with Vault
■ Tasks get tokens so they can retrieve values from Vault
■ Poll for changed values
■ Access control

21
Aqua secrets
@LizRice | @AquaSecTeam
■ Any orchestrator
■ Secret storage in 3rd party backend
■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...
■ File system & env var support
■ Env vars injected into container process memory
■ Secret can be injected to a tempfs filesystem
■ Update secrets without restart of container
■ Auditing of secret usage
■ Limit access to designated containers
■ User access controls

23
Secrets
@LizRice | @AquaSecTeam
Secrets
photo: Iain Merchant
■ Your best option depends on
■ Orchestrator
■ Acceptable level of risk

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
The Ultimate Guide to Secrets Management in Containers
tiny.cc/secrets
@LizRice | @AquaSecTeam

Contenu connexe

Tendances

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...

Michael Man

Kubernetes - security you need to know about it

Haydn Johnson

Zombies in Kubernetes

Thomas Fricke

Kubernetes is fundamentally a complex system with lots of different potential attack vectors aimed at data theft, currency mining and other threats. During this webinar, Aqua Security and Weaveworks will provide an overview of the current state of security-related features in Kubernetes, demonstrate how you can build a secure and reliable Kubernetes deployment pipeline with GitOps best practices, and explore how to best prevent common Git attacks. In addition we will show image scanning and briefly explore how to best prevent common Git attacks.

Introduction to Kubernetes Security (Aqua & Weaveworks)

Weaveworks

Now that we have passed “peak orchestrator” and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss: - the Kubernetes security landscape - risks, security models, and configuration best-practices - how to configure users and applications with least-privilege - how to isolate and segregate workloads and networks - hard and soft multi-tenancy - Continuous Security approaches to Kubernetes.

DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security

DevOpsDays Riga

Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...

Michael Man

Alex Dias: how to build a docker monitoring solution

Outlyer

Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose. In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?

CI / CD / CS - Continuous Security in Kubernetes

Sysdig

Container Security Deep Dive & Kubernetes

Aqua Security

Security threats with Kubernetes - Igor Khoroshchenko

Kuberton

Kubernetes - Security Journey

Jerry Jalava

BRISK_Network_Pentest_

BriskInfosec Solutions

Chris Rutter: Avoiding The Security Brick

Michael Man

Containing the Gear: Deep Dive on SELinux, Multi-tenancy, Containers & Security with Dan Walsh Presenter: Dan Walsh In this talk, Dan will do a deep dive into the Origin PaaS use of SELinux and containerization. He will discuss how SELinux being utilized to ensure that Origin is the the most secure PAAS available today. He will address some of his ideas for the future of Origin and SELinux. From 2013-04-14 OpenShift Origin Community Day in Portland, Oregon

OpenShift & SELinux with Dan Walsh @rhatdan

OpenShift Origin

How abusing the Docker API led to remote code execution same origin bypass an...

Aqua Security

Bandit and Gosec - Security Linters

EricBrown328

Cloud native applications are popular these days – applications that run in the cloud reliably und scale almost arbitrarily. They follow three key principles: They are built and composed as microservices, they are packaged and distributed in containers and the containers are executed dynamically in the cloud. In this hands-on session we will show how to build, package and deploy cloud native Java EE applications on top of DC/OS - fully automated with Gradle using cloud native infrastructure like Consul, Fabio, Hystrix and Prometheus. And for the fun of it we will be using an off-the-shelf DJ pad, programmed with nothing else than the Java Sound API, to demonstrate the core concepts and to visualize and remote control DC/OS.

JEE on DC/OS

Josef Adersberger

Lessons Learned in Automating Compliance for Containers

All Things Open

What is Google Cloud Good For at DevFestInspire 2021

Robert John

Ryan Koop's Docker Chicago Meetup Demo March 12 2014

Cohesive Networks

Tendances (20)

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...

Kubernetes - security you need to know about it

Zombies in Kubernetes

Introduction to Kubernetes Security (Aqua & Weaveworks)

DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security

Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...

Alex Dias: how to build a docker monitoring solution

CI / CD / CS - Continuous Security in Kubernetes

Container Security Deep Dive & Kubernetes

Security threats with Kubernetes - Igor Khoroshchenko

Kubernetes - Security Journey

BRISK_Network_Pentest_

Chris Rutter: Avoiding The Security Brick

OpenShift & SELinux with Dan Walsh @rhatdan

How abusing the Docker API led to remote code execution same origin bypass an...

Bandit and Gosec - Security Linters

JEE on DC/OS

Lessons Learned in Automating Compliance for Containers

What is Google Cloud Good For at DevFestInspire 2021

Ryan Koop's Docker Chicago Meetup Demo March 12 2014

Similaire à Your (container) secret's safe with me

Your secret's safe with me

Aqua Security

DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...

Lacework

Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure

Patrick Chanezon

Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured. Event: Docker Amsterdam Meetup - January 2015 This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed. About the author: Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.

Docker Security: Are Your Containers Tightly Secured to the Ship?

Michael Boelen

Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure

Patrick Chanezon

Docker, Kubernetes, Rancher… just a few of the container technologies out there. The buzz around containers is still growing, as they can make a seismic impact on release velocity. But what’s the best way to add containers to your technology stack? Get the low down from a container expert who will separate the facts from fiction. What’s the best path to scale your adoption and usage? How do you guard against user privilege escalation? How do containers fit into a DevOps approach? In this talk, Liz Rice will: -Explain what’s involved in the lifecycle stages: Develop, Registry, and Deploy -Build a container live on stage, by writing one in a few lines of Go code -Flag container security risks and give tips on how to achieve peace of mind For more information, visit: www.appdynamics.com

Containers: Give Me The Facts, Not The Hype - AppD Summit Europe

AppDynamics

Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019

Lacework

Cloud Native TLV Meetup: Securing Containerized Applications Primer

Phil Estes

Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...

Patrick Chanezon

A talk given at DevOps Pro Vilnius on March 15, 2018 about container security. In this talk we discussed the core topics around the container ecosystem (host, runtime, image) applicable to both Docker and Kubernetes, as well as discussing usable security/secure by default, and defense in depth principles. Also discussed were security futures like Project Grafeas, libentitlement, LinuxKit concepts, and trusted/untrusted container runtimes in Kubernetes.

It's 2018. Are My Containers Secure Yet!?

Phil Estes

Feeling overwhelmed while getting started with containers? Have you been tasked to figure out how to train everyone back at your organization? There's just so much to learn and teach! In this talk, we'll start with a tiny bit of history to motivate the "why" and quickly move into the "what" by explaining what container and images actually are (they're not just magical black boxes!). We'll talk about how volumes help with data persistence and include an overview of Docker Compose and even orchestration. There will be plenty of live demos and fun!

DCSF19 Containers for Beginners

Docker, Inc.

Running any application in a multi-tenant environment poses its challenges. This talk is focused around how we at Rackspace run Redis in a multi-tenant environment, ensuring security, performance, fault tolerance and high availability. This talk will cover: an architecture deep dive of multi tenant Redis on the cloud, management of sentinels, monitoring and operations of a large scale Redis deployment,introducing new Redis versions,scaling, security, some lessons learnt. The target audience for this talk is anyone who is interested in the deployment/operational aspect of running Redis. This is relevant not only for those who want to run Redis themselves, but also interested in how a Redis provider might be doing it for them.

Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!

Redis Labs

Redis High availability and fault tolerance in a multitenant environment

Iccha Sethi

Docker for Web Developers: A Sneak Peek

msyukor

"Secure development on Kubernetes" With the rise of Kubernetes, the Java developer has arrived in the DevOps age as well. By the multitude of complex tasks, the necessary security is often neglected. Even in managed clusters of well-known cloud providers, there are many traps and points of attack lurking. In this presentation, essential security-critical components of a Kubernetes cluster will be presented. Security problems and corresponding measures to mitigate these will be shown. All steps are described using live demos with an exemplary Spring Boot Java application, that is deployed as a docker container in a Kubernetes cluster, taking into account recommended security patterns. Speaker: Andreas Falk, Novatec Consulting Talk language: English About the Speaker: ********************* Andreas Falk has been working in enterprise application development projects for more than twenty years. Currently, he is working as a managing consultant for Novatec Consulting located in Germany. In various projects, he has since been around as consultant, architect, coach, developer, and tester. His focus is on the agile development of cloud-native enterprise java applications using the complete Spring platform. As a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well. Andreas is also a frequent speaker at conferences like Spring I/O, CloudFoundry Summit, Devoxx, and OWASP AppSec.

Secure development on Kubernetes by Andreas Falk

SBA Research

(DAT407) Amazon ElastiCache: Deep Dive

Amazon Web Services

Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure

Patrick Chanezon

In addition to authorization policies that control what a user can do, OpenShift Container Platform gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting pods and securing their cluster. Default security context may be too restrictive for containers pulled down from DockerHub, thorugh this talk we'll explore the various steps to execute for enabling required permissions on selected OpenShift's pods.

[Devconf.cz][2017] Understanding OpenShift Security Context Constraints

Alessandro Arrichiello

Rootless Containers & Unresolved issues

Akihiro Suda

Docker Security

antitree

Similaire à Your (container) secret's safe with me (20)