Conf42 DevSecOps 2021 - Online

Manage secrets across cloud on Kubernetes

Video size:

Abstract

Evolution of kubernetes and uses cases is more valuable when your team can manage secrets in more secure context for all teams!! Involve secure team and dev team for this process is very essential because you need broke this dependency with external-secrets!

Summary

  • Jonathan Hill DevOps engineer at Appgate. Talks about how to use secrets over kubernetes. How you can use these secrets for your cloud environments or on prem environments too. When you learn this new you can generate new feature to generate more value for your company.
  • AWS SSam Azure keyboard, GCP secret manager Hashicor Bowl QR Net. How you can use external secret data operator inside of kubernetes. Demonstrations on how to mix this ecosystem.
  • QRnetes is a portable extensible open source platform for managing containerized workloads. How do you can use that with virtualization or increase the value for all teams and your application? That is a good question for you for your company.
  • Kubernetes works with one master node and worker node. In this pod you can inject the secret for your ecosystem, right? Depends for your architecture for your application. How to the application gets this configuration or these passwords or these sensitive data.
  • The external secrets external secrets operator integrates a secret manager system like AWS, secret manager, hashicorpole. Operators follow Kubernetes principles, notably the control loop. QR net is generate new things for your teams. How you can deploy more easily, more fast.
  • QR net is an external secrets use. First you define a secret in your providers or bare metal. You can use any ecosystem that you define for your application or your security team could be defined for your company. In this demo we show how you can use stern secrets in your cluster environment.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hi everyone, thank you for deciding my talk about the managecret across cloud on kubernetes. That's me. That is Jonathan Hill DevOps engineer at Appgate. I start the talk about the unfraze life is real simple but we insist on making it complicated by confusion. I love that phrase because when you try to do something new for your team and generate new value for your company, it's very hard. When you implement this with a new technology or in this case with kubernetes when you try to do something different where your knowledge it's very hard generate new tool or generate a specific tool for with best practice or with secure it's very hard. It's a learning path very difficult. But when you learn this new you can generate new feature to generate more value for your company. But every day that you learn something new it's very hard because implement this in your company, in your job, in your ecosystem, it's very hard for you and your team. In this case we learn about how to use secrets over kubernetes, how you can use these secrets for your cloud environments or on prem environments too. In this case bare metal for kubernetes is more fashion could be and learning how you can use these secrets for your Kubernetes cluster and how do you can get from your cloud provider and how you can obtain these new secrets for your cloud environment and how do you can get these secrets for your cluster ecosystem kubernetes. That's it. Learning something new okay, in this talk we're talking about the AWS SSam Azure keyboard, GCP secret manager Hashicor Bowl QR Net is a little speckle about QR nets and the object inside the QR that is called secrets. How you can use external secret data operator inside of kubernetes and how to install could be a little steps for use that and a little demo about how to use secrets in kubernetes using bold and how to mix this ecosystem and how you can use every day on your QR networks cluster. Talking about the AWS system manage parameter restore parameter restore is a capability of AWS system manager provides secure erational storage for configuration, data management and secrets management. You can store data such as password database strings, MSM machine image ids and Lisa and Scott ads parameter values. Your secrets area around the AWS and you store this in text plane in this case for row and you can encrypt this data with your HSM manage key generated inside the AWS. You can use that for your deployments or your ecosystem or your easy to instance or your virtual machine inside AWS, right? In this case we're talking show how do you create parameters inside AWS? You create parameters inside like a standard that is generate my poll that is the bad like that I use. In this case my secret is called my secret AWS. In this case the poll for that is my value, right? You can use this secret. In this case is client text for obtain from my deployments or obtain from my applications around my ecosystem inside the QR net or outside of QR net. It could be like a function as a service in AWS it's called lambda. You can use that inside of lambda and obtain this information around the database strings or could be endpoints from other API that I can use. You can store this secret in secure way and you can obtain this secrets from secure way in EWS you can define in amy account associate from a user or from a role from different ecosystem that you can deploy in there. You can define that role uses from lambda or uses from EC two instance or used for virtual machine and obtain a specific secrets and just can use for read don't for write just for read and can update in this case for the ecosystem the secure team could be updated this secret for obtain and generate new value for your tools. And how do you can generate this prospective for your team, for all your teams and all your company and how do you can define this process when the applications can obtain only the secure secret and how to the secure team can update this data without the developer team could be checked this data or it team just the secure team. That is a big feature for the cloud and how you can use that in all Azure keyboard secrets Azure keyboard is a cloud service for security strongly and accessing secrets a secret is anything that you can want to cliently control access to such as API keys, password, certificates or cryptographic keys key value therapy support two type of container bowels and manage hardware security mode HSM pools poll support storing software and HS back end keys and certificate manage HSM pool only support HM backend keys that could be confused for learning in this part. But in other words, how do you can store your data in security way right in this picture? Check how can you create new secrets over the Azure how you can store secret like AWS, how to dissimilar for AWS and how you can use in Azure, right. You generate a bolt primary in Azure and secondly you can generate a secret over the bolt and what is the type of the secret you can generate inside? How you can put this secret over the Azure Azure manage airbag access control for all ecosystem in your cloud and how you can put all together how you can use this like a function as a service over the Azure. Now how do you can obtain this secret from Azure as a function fast or like virtual machines or from your database or from your ecosystem around your deployment inside the cloud and how you can obtain and how do you can put there all together inside the azure? In this way you can generate granularity for your teams or for your developer teams or IT teams or security team for obtain this glan reality option from how you can use for your proposal or how you can change all your ecosystem around the company. How do you can obtain this feature and generate this process for your company that isn't very high level because you can generate could be the security team updated the secret how to the developer team could be obtained no, the developer team can update can obtain this secrets just the application. When this application is deployment in this way you can generate this process who can update these secret and how to obtain for an application and how to use that for all ecosystem that you generate inside around the ecosystem the application right, okay, checking other cloud GCP Secret Manager Secret Manager is a secure and companion storage system for API keys, password, certificates and other sensitive data. Secret Manager provides central place and single source truth manage access and outdated secrets across Google Cloud. That is definition we've taken about this gets from GCP around the how to store and how to manage secrets inside that, right? In this case we have this picture about how you can create over the Google Cloud secrets. You generate a secret like AWS and Azure generate a path could be or generate just the name for your secret and what is the value for your secret in this case, in GCP you can generate the granularity for your teams and the application and how you can use this definition around your process, how you can put together for the application and how your security team can be updated and how your application gets this updated from your secret for the security teams and you can change that for your granular definition in your matrix could be or your role associated inside for your company and how to the secure team just can change and just generate and just update these secrets. How the application obtained this secret update it from your GCP Secret manager how this application only the application can obtain this secret, not the IT team or developer team like as well. In Azure and AWS, Hashicor Bolt Bolt is a tool for secure access in secret. A secret is anything that you want to tightly control access to such an API key password certificate will provide a unified interface to any secret while provide tight access control and recording and detailing. Audited lock secured secret stores arbitrary key value secret can be stored in bold bold encrypts these secrets prior reading them to persist storage or gaining access to the robot storage. Using no access to your secrets, bolt can write disk, console and more, right? In this case, Hashicorpol could be interface for all your secrets around your cloud provider or on Prem's infrastructures too. How do you can manage this secret out of the box from the cloud providers and you can generate this interface and how do you can generate this process? You can define involved two granularity definition your matrix for your teams, how to the security team generate and update these secrets about your modify how you can obtain this secrets only for your application how you can pull all together that works very nice for your teams and your paths for your successful security in your company, right? In this case, the pictures show how you can create a keyboard secret. First you create a bowl, second you create a secret and third you can create your secret over the cloud over bolt for present this secret for your workload or for your function as a service out of the box for the cloud provider or on Prem. Could be you can install this solution on your machines, on your ecosystem, on your virtualization. Could be or the hashicorp could be generate this new tool for all deployment that you put altogether. In this case you can deploy these two in the Qrnet cluster, could be generate a security cluster only for storage all your bold secrets. How to your security teams are managed for this cluster only for the company, right? You can put all together and generate separately for developer environment or staging environment or production environment. How do you can separate these responsibilities for all environments? How do the security team can generate this new feature for the old company? Because you can generate a new process, how you can storage and how do you manage all secrets for the company and how can you provide these secrets and how you can get these secrets for all application around your cloud providers or your deployments that you generate inside the clouds or generate out of the clouds. Okay, talking about Kubernetes, it's an interesting technology, could be increased a lot of the expectation around the world, how you can use that in all specification in your company and how to bury this route for your company and for your team. How you can increase all values for your company. That is a good technology that you can use in your ecosystem for your application or for your IT environments. How do you can use that with virtualization or increase the value for all teams and your application. That's very good. Let me little definition about Kubernetes Kubernetes is a portable extensible open source platform for managing containerized workloads and service that facilitates both declarative configuration and automutation. It has a large rapidly growing ecosystem. Unreal service support and tools are weirdly available. Yeah, it's a very explosion for your mind blow up could be. And how you can uses QRnett and how to increase your value for your company with that. That is a good question for you for your company. How do you can use QR nets for all your ecosystem, all your apps, all your teams for generating new value for your company? Let me check about the little object inside the QR nets is a secret. Secret is can object that contains a small amount of sensitive data. Such a password, a token or a key information myth other side but put in a bot specification or near a container image using a secret meet that you don't need to include confidential data in your application code that it's a very nice definition because you can extract the sensitive data for your application, for your code, for your repositories. How you can put this data inside your application around your Kubernetes ecosystem that is very nice. In this part of the picture talking about the master node, how to work secure netties Kubernetes works with one master node and worker node. Could be, but depends for your architecture, depends for your availability zone, depends for your replication for your application. How do you can put your infrastructure, your application, your business for all your clients and how to decline your application for all your needs, right? In this case it's a single ecosystem for Kubernetes it's a master node and worker node. And the worker node deploy a port, a workload, a container that you can define your application. In this pod you can inject the secret for your ecosystem, right? That it could be a small definition with QR nets and secrets, but you can use more around that because you can put in your pod, in your container application your secret in two ways, in three ways. Sorry, this way is environment variable or a file or a patch with a lot of files but depends for your architecture for your application and how to the application gets this configuration or these passwords or these sensitive data for yours in that, right? Depends a lot of your application how to the developer team will be obtained this data for generate the value for the application. Talking about the external secrets external secrets operator it's an operator that integrates a secret manager system like AWS, secret manager, hashicorpole, Google secret manager, Azure keyboard and a lot of other cloud providers. How to get this information how you can get this sensitive data for your cluster, right? These APIs connect with the operator and update this data for your bot, right. But what is an operator? What is Kubernetes? What is operator by the new term operator are the software extension for Kubernetes that make use of custom resources to manage application and their components. Operators follow Kubernetes principles, notably the control loop. In this case when you work with operator in Kubernetes QR net is generate new things for your teams and how you can increase the value for QR nets could be just for you and you can use operator for increase this value for QR nets and how you can use for your company new features. That cloud be not generated inside of Qrnettis is just for you and your IT team and how you can generate this toil task and you can manage this task with one operator developed by your or your team and how to reduce the time that you can use for generate some task and you can define this task over the operator, right. You can change everything in QR nets and how to the QR net how to the operator could be generated for these new responsibilities with an operator and how you can deploy more easily, more fast that it's a very extensible you can use this operator for your teams and your clusters and how to develop that in your company. That's very nice that works with Kubernetes. Let me show you little architecture high level that QR net is an external secrets use. First you define a secret in your providers or bare metal in this case with Azure, with GCP, with AWS or bold that it's the last slides you can use any ecosystem that you define for your application or your security team could be defined for your company. That covers all needed for your company, right? Second you can write this definition for your file for your jammer file. That is the description how you can obtain this data from the external provider and how to obtain these values for the pod, for your warloat for your application and how to obtain and how to put in there how to the application weight. This secrets like can environment variable or file or path for folder could be depends everything about how the application is created for the developer teams or architecture team and how to define code can get this information for the bot or the application, right? And third you can use this secret in your cluster in this case or just only for your bot comes to the demo, right? Okay. In this demo we show how you can use stern secrets in your cluster environment and how you can update and install first the helm chart and how do you can use this chart and configure the char for connect for bolt? In this case first you need to add the external secrets held to your installation in the cluster. This case is this command. We add the helm repo that name external secrets that it's linked for this helm char in Internet location. In this case we can check what other repos can install in our cluster. In this case, repo list how we can shake external secrets it's added for the moment for our external secrets for our cluster and how you can use for that. This enable the hell the chart and you can use this chart for the configuration. Second, you need to install external secrets into qrnaries external secrets with helm enable helm enable external secrets that invoke external secrets chart that install and obtain external secrets value for this case. In this case we can generate the external secrets namespace. But in this moment, if we can check the currently name space is created actually we have this name space in our cluster cubectl get Ms spaces in this case we can create external secrets mspace and don't create this mspace. Let can copy for that comment and pass in deers and you can execute this command. In this case, helm generates all values for your cluster and the operator can be enabled for the cluster. In this case we can execute part of the operator and configure this operator if you need it. But in this case we can check how to can use this operator helm list in this case external secrets it's enabled for our cluster in the namespace external secrets is the fear reservation is deployed in this case. In this case it's a lot of object generated for external secret cubectl get pod it's a new pod for this case. In this case external secrets or this is the qualification for minus. If you can use QCTl get external secrets or QCTL get cases. It's the same way that you can find all objects in the namespace for the external secrets. In this case, don't show any resources because you need first configurate the resource and second use the resource for to generate new obtain the information about the bolt, right? In this case we preparate secret inside bolt. This secret is called my secret and obtained from bolt, right? First generate the secret bold we generate in this case on installation about external secrets. Now we can configure secret store from one secret poll jaml check what information have this Jamil this information is first create a secret that it's named bold token. This token is the communication from the username. In this case for the root name that can you obtain this authentication for the bolt in this server and this part is just the token for bolt. But in this cases in this part is the configuration about the server about what is the path of the that you can connect in this case that is the API version. How you can hold this secrets store in this case is bold backend and how to authenticate for the bolt. In this case use the token authenticate and uses the bold token that generate in this secret the secret obtained when the configuration happens. It's the first part when you can check the operation teams could be don't know what is the secret. In this case I can separate the files and this file is the security team and this file is the operation teams that can generate the configuration around what is the bold service or bold survey that I can use and this configuration it's the common for the security team and operation teams or it team that you can use what is the name of the bowl that you can generate security team and how to the security team and it team define this name for generate and establish some definitions how the names about the secrets around the QR net is going to be put in there. Right next step just apply this file but after that we can check that what type of secrets exist in there. Cutectl get secrets in this case exists this secret external token external null secret token secret store secret but not it's for that and is the installation about the helm that we generate in the last step. All right this isn't secret store. Kubectl get secret store that announce configuration about the secret store around the external secret right that's it. Then apply this configuration file and in this case generate a secret and secret store in the namespay that we in there and check what object generated in this case Kubectl get secrets and voila. That's my secret that I generate that it's vault token that is the name of the token that we send in this case with this value and we can check exactly with secret store that this bowl back end that contains all configuration around the external secret and how to connect with the bolt and my secret for generate this authentication for the application. Right in this guide config external secret from both using external secret is definition on how to you can uses external secret and how to before this authentication you can uses external secret for obtain the secret from world. In this path we can check my secret ball this property for secret the secret generate for my store configuration. In this case is example sync and generate a secrets store reference for my secret. That is the back end the bulb and it's a 60 store, right? In this case 60 store is boil backend ball backend this configuration that we generate in this case. In this definition how to authenticate before that it's authentication. You can use this authentication for obtain this secret right before the authentication you can obtain the secret in this path exactly this secret and put in my new secret definition example sync and put in their full bar, right? Let me check more simply with the example apply this configuration file. In this case generate bowl example that it's our external secret generation QCtl get secrets and voila. This example sync that contains the FUBAR definition Kubectl describe secret example sync and this my fubar my information about the secret. In any case I can use this secret that obtained from bowl from my pod and inject this secret in input of my pod with environment variable or can use for config file or a pack if I need it. Depends exactly what is the architecture for the application and how to can use this secrets for the application and how to can inject in there for the pod. We're talking about how you can use the secret generated by external secret and how to implement in this case for a deployment over the pod. In this definition we have a deployment in this case the example that use image in nginx 80 and use in this case that is the important part. The secret username, right? That secret username is belly from secret key ref. In this case you invoke the exam pole sync and obtain the full bar value. That's the definition that we generate in the previous example that define the example sync and generate the few bar that obtained from the bolt. In this case, right? Just apply with this comment qctl apply and in this case generate a deployment qctl get bot this is example deployment, right? Kubectl describe bot this pot exactly the example deployment and in this case we can check something new in the deployment put in there the pod the secret environment secret username connect the secret example sec and obtain full VAR. In this case if we can check the secrets in these deployment in these namespace Kubectl get secrets we have example sync that contains in this case get secret describe secret that obtain the few bar data that is the complete flow that you can use define for first the security team how to define the connectivity and authorization and authentication over the bolt and how to in bolt. You can define this secret that don't know the developer team or it team just for the configuration. In this case for it team this other configuration that will be generated for the it team they're using secret and third the development team just use the secret for the environment and put in environment for the application. All process around. How do you can define how you can sensitive data could be secured in your whole ecosystem in the CLDC lifecycle could generate new value for the company because the secret that could be eject for the database or could be something other service or this very sensitive data the IT team or development team can't access for that just for the application and the secure team. And it's at the more powerful tool that you can use for the connect your cloud and you can connect the environmental two for the external secrets and how you can use this external secret for the Kubernetes and how to these external secrets generate a new proposal for all your company and how you can determine this for your company new process that the IT team and development team don't know. What is the sensitive data? Just the secure team and the application. No more. In this case it's a good example for the application. These slides contains the video about how you can check this offline. Could be, but you can explain in this video what is the part of the secret? What is the part of GML files using for demo. You can check this video too if you want. No problem. You if you have some questions you can send me pink over the social networks like Twitter or YouTube or GitHub. I hope that you can learn something new. Thank you for your time. See you soon.
...

Jhonnatan Gil Chaves

DevOps Engineer @ AppGate

Jhonnatan Gil Chaves's LinkedIn account Jhonnatan Gil Chaves's twitter account



Awesome tech events for

Priority access to all content

Video hallway track

Community chat

Exclusive promotions and giveaways