Secrets Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Infrastructure Management (Run & Manage) GitOps Continuous Delivery Cluster Templates & Config Enforcement K8s Version Management Node Pool Management Cluster Provisioning & Lifecycle Management Platform Google GKE Cloud Datacenter Edge Branch Dev Secret Management in Kubernetes 16 17 18 Secret Management Challenges ● Secrets sprawl ● Secrets rotation ● X.509 certificates, SSH and Cloud access

Kubernetes Secrets Agenda • K8s Secrets: Overview • TEE-based K8s Secrets Protection: Solution • Production Experience @ Ant Group • Demo • Summary & Plan K8s Secrets: Overview Background: K8s Secrets Cluster Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys stored on API Server • Secrets encrypted prior to storage in etcd • Secrets decrypted on API Server prior to use • Encryption Encryption keys stored in a remote KMS • Use envelope encryption scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance & latency • Network • Security • DEK in the clear in memory • Secret

GPU Resource Management On JDOS 梁永清 liangyongqing1@jd.com 提供的服务 1. 用于实验的 GPU 容器 2.基于 Kubeflow 的机器学习训练服务 3.模型管理和模型 Serving 服务 Experiment Training Serving 均基于容器，不对业务方直接提供 GPU 物理机 GPU 实验 JDOS 常规的容器服务

Node Operator: Kubernetes Node Management Made Simple 陈俊(Joe), Ant Financial Agenda • Background and Motivation • Introduction of Operators • Node-Operator • Advanced Topic: • Upgrade Master & Node Components reliably • Canary Rollout • Master & Node Component Versions Management Motivation: Work Order Deployment Worker Order • Upgrade Nodes Versions • Upgrade Node 10.10 Complicated architecture Work order deployment system can not meet the requirements of resource management. Operator Observe Action Analyze • Observe: watch desired resource and actual resource

Turtles all the way down: securely managing Kubernetes secrets with secrets Alexandr Tcherniakhovski, Google Cloud Maya Kaczorowski, Google Cloud Nov 14 2018 Turtles all the way down Turtles @MayaKaczorowski Protecting secrets What’s a secret? Credentials, configurations, API keys, and other small bits of information needed by applications at build or run time Why protect secrets? ● Attractive target in public storage buckets Secret management requirements Identity Require strong identities and least privilege Auditing Verify the use of individual secrets Encryption Always encrypt before

Processing and Analytics Vasiliki (Vasia) Kalavri
 vkalavri@bu.edu Spring 2020 2/25: State Management Vasiliki Kalavri | Boston University 2020 Logic State <#Brexit, 520> <#WorldCup, 480> key of the current record so that all records with the same key access the same state State management in Apache Flink 5 Vasiliki Kalavri | Boston University 2020 Operator state Keyed state State state is stored, accessed, and maintained. State backends are responsible for: • local state management • checkpointing state to remote and persistent storage, e.g. a distributed filesystem or a database

............................................................................ 6 1.3.3 Secret Management .............................................................................................. ......................................................................... 6 1.3.5 Container Management and Scaling ......................................................................... 6 1.3.6 .............................................................................. 7 1.3.10 Log Management ..............................................................................................

Request Forgery into local Dapr sidecar (Medium) DAP-01-008 WP2: Dapr allows extraction of Kubernetes secrets by default (High) DAP-01-010 WP2: Invocation of out-of-scope topic handlers of PubSub (Info) DAP-01-012 Hashicorp secret vault (Low) Orchestration Hardening Network Policy Zero-Trust Concepts RBAC Secrets Management Conclusions Cure53, Berlin · 07/01/20 1/19 Dr.-Ing Operator-services. ▪ In further scope were a sample python-app (for testing), crypto implementations, secrets storage features, network filtering features, pub/sub mechanism implementations, authentication

hostPath 卷将主机节点的文件系统中的文件或目录挂载到 pod 中。 KMS 密 密钥 OpenShift Container Platform 4.14 存 存储 储 4 Key Management Service (KMS) 可帮助您在不同服务间实现所需的数据加密级别。您可以使用 KMS 密钥加密、解密和重新加密数据。 本地卷 本地卷 本地卷代表挂载的本地存储设备，如磁盘、分区或目录。 预期输出：默认 JSON mountdevice 将卷的设备挂载到一个目录，然后 pod 可以从这个目录绑定挂载。 这个 call-out 不会传递 FlexVolume spec 中指定的 "secrets"。如果您的驱动需要 secret，不要实现这个 call-out。 参数: 执行于：节点 预期输出：默认 JSON unmountdevice 从目录中卸载卷的设备。 Platform 可以使用 CHAP 在 iSCSI 目标中验证自己： 启用 iSCSI 发现的 CHAP 验证。 启用 iSCSI 会话的 CHAP 验证。 使用用户名 + 密码指定 Secrets 对象的名称。该 Secret 对象必须在所有可使用引用卷的命名空间中 可用。 accessModes: - ReadWriteOnce iscsi: targetPortal:

Container Platform 上的 Jenkins 镜像被完全支持，用户可以按照 Jenkins 用户 文档在作业中定义 jenkinsfile，或者将其存储在 Source Control Management 系统中。 采用 Pipeline 构建策略时，开发人员可以定义 Jenkins 管道，供 Jenkins 管道插件使用。构建可以由 OpenShift Container Platform ref 可以是 SHA1 标签或分支名称。 ref 字段的默认值为 master。 contextDir 字段允许您覆盖源代码存储库中构建查找应用程序源代码的默认位置。如果应用程序位 $ oc secrets link builder dockerhub source: git: 1 uri: "https://github.com/openshift/ruby-hello-world" 将证书文件添加到源构建中，并在 gitconfig 文件中添加对证书文件的引用。 1. 将 client.crt、cacert.crt 和 client.key 文件添加到应用程序源代码的 /var/run/secrets/openshift.io/source/ 目录中。 2. 在服务器的 .gitconfig 文件中，添加下例中所示的 [http] 部分： 输 输出示例 出示例 $ oc set build-secret