24. June Secrets Management at
Transcript of 24. June Secrets Management at
![Page 1: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/1.jpg)
Secrets Management at Scale with Vault & Rancher
24. June
Robert de BockSenior DevOps [email protected]
Kapil AroraSenior Solution [email protected]
Bastian HofmanSenior Field [email protected]
![Page 2: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/2.jpg)
Containers are great!
2
![Page 3: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/3.jpg)
One self-contained, portable package for your application
3
![Page 4: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/4.jpg)
Managing a couple – no problem
Containers are great……..but
![Page 5: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/5.jpg)
Containers are great……..but
How about managing many?
How do we address:
Networking, Security, Scheduling, Automation, etc?
![Page 6: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/6.jpg)
6
![Page 7: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/7.jpg)
Why Kubernetes ? Common compute platform across any infrastructure
DEV
DATACENTER
CLOUD
BRANCH
5G / EDGE
✔ Common API & Packaging✔ Health Checks/HA✔ Load Balancing✔ Overlay Networking✔ Network Security Policies
✔ Backup and Recovery✔ Autoscaling✔ Service Discovery✔ Networking✔ RBAC & Access Control
![Page 8: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/8.jpg)
DEV DATACENTER
CLOUDBRANCH 5G / EDGE
✔ Common API & Packaging✔ Health Checks/HA✔ Load Balancing✔ Overlay Networking✔ Network Security Policies
✔ Backup and Recovery✔ Autoscaling✔ Service Discovery✔ Networking✔ RBAC & Access Control
✔ Common API & Packaging✔ Health Checks/HA✔ Load Balancing✔ Overlay Networking✔ Network Security Policies
✔ Backup and Recovery✔ Autoscaling✔ Service Discovery✔ Networking✔ RBAC & Access Control
Common compute platform across any infrastructure& a consistent set of infrastructure capabilities
![Page 9: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/9.jpg)
Kubernetes architecture● Controlplane:
Manages the cluster and exposes an API for control
● Etcd: a key value store used as Kubernetes’ backing store for all cluster data.
● Worker: Runs workloads and all of the supporting components.
API / CLI
![Page 10: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/10.jpg)
Setting up Kubernetes is hard
10
![Page 11: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/11.jpg)
You don’t compile Linux from scratch, you use a distribution
11
![Page 12: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/12.jpg)
Rancher Kubernetes Engine
• 100% Upstream Kubernetes
• CNCF certified
• Easy installation
• Zero-downtime upgrades
• Backup & Disaster Recovery
• Air gapped installation support
12
![Page 13: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/13.jpg)
Managing a couple – no problem
Kubernets clusters are great……..but
![Page 14: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/14.jpg)
Kubernetes clusters are great……..but
How about managing many?
• Different environments• Different teams• Different hardware• Different locations• Edge devices
![Page 15: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/15.jpg)
SUSE Rancher - the industry’s only platform to manage all Kubernetes distributions
Applications 1 Applications 3Applications 2
Rancher Catalog
Service Mesh
LonghornStorage
Terraform Operator
Dashboards & Observability
Monitoring & Alerts
Security & Authentication Policy Enforcement & Governance
RBAC, OPA, Pod & Network Policies
CIS Benchmarking
Monitoring & Logging
Centralized Audit
Simplified Cluster Operations & Infrastructure Management (Run & Manage)
GitOps Continuous Delivery
Cluster Templates & Config Enforcement
K8s Version Management
Node Pool Management
Cluster Provisioning & Lifecycle Management
Platform Services (Build & Run)
SUSE Linux Enterprise Product Family
AmazonEKS
AzureAKS
GoogleGKE
CloudDatacenter EdgeBranchDev
![Page 16: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/16.jpg)
Secret Management in Kubernetes
16
![Page 17: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/17.jpg)
17
![Page 18: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/18.jpg)
18
![Page 19: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/19.jpg)
Secret Management Challenges
● Secrets sprawl● Secrets rotation● X.509 certificates, SSH and Cloud access● Encryption● Multi-platform and multi-cloud● Central control and management● Auditing● Compliance & Hardware Security Module
(HSM) integration● Costs, scalability & productivity
![Page 20: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/20.jpg)
HashiCorp VaultProvides the foundation for cloud security that leverages trusted sources of identity to keep secrets and application data secure
● Secrets management to centrally store and protect secrets across clouds and applications
● Data encryption to keep application data secure across environments and workloads
● Advanced Data Protection to secure workloads and data across traditional systems, clouds, and infrastructure.
475+ EnterpriseCustomers
1M+ Monthly D/Ls
2T+ Transactions
Weekly
![Page 22: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/22.jpg)
Source: https://www.gartner.com/en/documents/3988410/critical-capabilities-for-privileged-access-management
![Page 23: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/23.jpg)
Vault Workflow Overview
![Page 24: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/24.jpg)
Vault Principles
API (HTTP Rest / KMIP)
Identity
Policy / Governance
Audit
Dynamic Secrets
Static Secrets(Versioned)
Crypto as a Service
LDAP/ADOIDC
JWTGithub
MFA/RadiusOkta
AWSAzureGCPAliCloudKubernetesCloud FoundryAppRole
DatabasesPublic Cloud
Consul / NomadX.509 Certs
RabbitMQSSH / Active
Directory
Encrypt / DecryptFormat-preserving encryptionSign / VerifyHMACMaskingKey Management via KMIP
WEB UI CLI
Under what conditions?Which secrets can I get?
![Page 25: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/25.jpg)
Combining Vault and Rancher
25
![Page 26: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/26.jpg)
Vault & Rancher - Why?
• Automation: both products have a strong API.• The combination prevents vendor lock-in.• With Rancher and K8s a secrets engine becomes important.
![Page 27: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/27.jpg)
Deploy Vault on Ranchers K8s clusters
$ helm repo add hashicorp https://helm.releases.hashicorp.com"hashicorp" has been added to your repositories
$ helm install vault hashicorp/vault
Stolen from https://www.vaultproject.io/docs/platform/k8s/helm
![Page 28: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/28.jpg)
Demo deploying Vault
If demo-gods are angry: https://youtu.be/k9lpsnXQv-I
![Page 29: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/29.jpg)
Use Ranchers K8s authentication for Vault
Vault typically uses an authentication provider, like Active Directory or GitHub.
K8s is also an authentication provider.
This makes Vault quite easy to integrate.
Let’s review https://www.vaultproject.io/docs/auth/kubernetes
![Page 30: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/30.jpg)
Use Secrets in Rancher Kubernetes Containers
Multiple Methods
30
![Page 31: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/31.jpg)
Vault Agent
spec: template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "internal-app" vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config"
https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar
![Page 32: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/32.jpg)
Vault CSI (Container Storage Interface)
A Vault secret shows as a file in a mount.
https://www.vaultproject.io/docs/platform/k8s/csi
![Page 33: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/33.jpg)
Vault & Kubernetes Summary
● Vault can be installed on Kubernetes using a Helm Chart
● Vault supports Kubernetes authentication. Applications can use a K8S Service Account to authenticate and fetch secrets
● Vault can leverage Kubernetes mutating admission webhook to intercept pods that define specific annotations and inject a Vault Agent container to manage these secrets
● Mount Vault secrets as volume using secrets store CSI driver
![Page 34: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/34.jpg)
Conclusion
• Vault is a logical component in Ranchers K8s clusters.• It’s easy to install Vault in K8s.• There are sufficient methods to consume secrets.
![Page 35: 24. June Secrets Management at](https://reader034.fdocuments.us/reader034/viewer/2022042101/6256025b8adef465192b8eaa/html5/thumbnails/35.jpg)
Resources
• SUSE Rancher• https://www.suse.com/de-de/products/suse-rancher/• https://rancher.com/docs/rancher/v2.5/en/
• HashiCorp Vault• https://www.vaultproject.io/docs/platform/k8s• https://learn.hashicorp.com/collections/vault/kubernetes