Secrets Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Branch Dev Secret Management in Kubernetes 16 17 18 Secret Management Challenges ● Secrets sprawl ● Secrets rotation ● X.509 certificates, SSH and Cloud access ● Encryption ● Multi-platform and multi-cloud that leverages trusted sources of identity to keep secrets and application data secure ● Secrets management to centrally store and protect secrets across clouds and applications ● Data encryption to

Kubernetes Secrets Agenda • K8s Secrets: Overview • TEE-based K8s Secrets Protection: Solution • Production Experience @ Ant Group • Demo • Summary & Plan K8s Secrets: Overview Background: K8s Secrets Cluster Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys stored on API Server • Secrets encrypted prior to storage in etcd • Secrets decrypted on API Server prior to use • Encryption Encryption keys stored in a remote KMS • Use envelope encryption scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance & latency • Network • Security • DEK in the clear in memory • Secret

Jason Turner @le�icus emptycrate.com/idocpp 1Copyright Jason Turner @le�icus emptycrate.com/idocpp Secrets of Scripting Bindings for C++ 2 . 1Copyright Jason Turner @le�icus emptycrate.com/idocpp Jason com/le�icus/5d94357725413dce5005b0b1b7f77836 25 . 8Copyright Jason Turner @le�icus emptycrate.com/idocpp Secrets of Scripting Bindings for C++ 26 . 1Copyright Jason Turner @le�icus emptycrate.com/idocpp Jason

Turtles all the way down: securely managing Kubernetes secrets with secrets Alexandr Tcherniakhovski, Google Cloud Maya Kaczorowski, Google Cloud Nov 14 2018 Turtles all the way down Turtles @MayaKaczorowski Protecting secrets What’s a secret? Credentials, configurations, API keys, and other small bits of information needed by applications at build or run time Why protect secrets? ● Attractive target the use of individual secrets Encryption Always encrypt before writing to disk Rotation Change a secret regularly in case of compromise Isolation Separate where secrets are used vs managed

7–Handling Secrets Common Patterns Storing Encrypted Secrets Sealed Secrets Challenges of Storing Encrypted Secrets Storing Secret References External Secrets Challenges Deployment [4.1]? What about the ConfigMaps and Chapter 4 – Git Workflows The Path to GitOps | 23 Secrets? Those are bound to change in different environments and include things that should not be merged (RBAC), Git Chapter 5 – Repository and Directory Structures The Path to GitOps | 32 repository secrets, and configuration files specific to the Git controller, Argo CD. Each configuration has its own

Request Forgery into local Dapr sidecar (Medium) DAP-01-008 WP2: Dapr allows extraction of Kubernetes secrets by default (High) DAP-01-010 WP2: Invocation of out-of-scope topic handlers of PubSub (Info) DAP-01-012 Hashicorp secret vault (Low) Orchestration Hardening Network Policy Zero-Trust Concepts RBAC Secrets Management Conclusions Cure53, Berlin · 07/01/20 1/19 Dr Operator-services. ▪ In further scope were a sample python-app (for testing), crypto implementations, secrets storage features, network filtering features, pub/sub mechanism implementations, authentication

链接到构建所使用的服务帐户。默认情况下， 构建使用 builder 服务帐户。如果 secret 包含与托管输入镜像的存储库匹配的凭证，pull secret 会自动添 加到构建中。 + $ oc secrets link builder dockerhub 注意 注意 使用 Custom 策略的构建不支持此功能。 3.4. GIT 源 指定之后，从提供的位置获取源代码。 如果您提供内联 Dockerfile，它将覆盖 将证书文件添加到源构建中，并在 gitconfig 文件中添加对证书文件的引用。 1. 将 client.crt、cacert.crt 和 client.key 文件添加到应用程序源代码的 /var/run/secrets/openshift.io/source/ 目录中。 2. 在服务器的 .gitconfig 文件中，添加下例中所示的 [http] 部分： # cat .gitconfig [user] false sslCert = /var/run/secrets/openshift.io/source/client.crt sslKey = /var/run/secrets/openshift.io/source/client.key sslCaInfo = /var/run/secrets/openshift.io/source/cacert.crt

ref 可以是 SHA1 标签或分支名称。 ref 字段的默认值为 master。 contextDir 字段允许您覆盖源代码存储库中构建查找应用程序源代码的默认位置。如果应用程序位 $ oc secrets link builder dockerhub source: git: 1 uri: "https://github.com/openshift/ruby-hello-world" 将证书文件添加到源构建中，并在 gitconfig 文件中添加对证书文件的引用。 1. 将 client.crt、cacert.crt 和 client.key 文件添加到应用程序源代码的 /var/run/secrets/openshift.io/source/ 目录中。 2. 在服务器的 .gitconfig 文件中，添加下例中所示的 [http] 部分： 输 输出示例 出示例 $ oc set build-secret false sslCert = /var/run/secrets/openshift.io/source/client.crt sslKey = /var/run/secrets/openshift.io/source/client.key sslCaInfo = /var/run/secrets/openshift.io/source/cacert.crt

身份将映射到 现有用户，添加到该用户的现有身份映射中。如果配置了多个身份提供程序并且它们 标识同一组用户并映射到相同的用户名，则需要进行此操作。 注意 注意  $ oc delete secrets kubeadmin -n kube-system OpenShift Container Platform 4.13 认证 认证和授 和授权 权 26 1 2 3 注意 注意 在添加或更改身份提供程序时，您可以通过把 [create delete deletecollection get list patch update watch create get list watch] secrets [] [] [create delete update watch impersonate create delete deletecollection patch update get list watch] imagestreams/secrets [] [] [create delete deletecollection

Auditing 1.9. Running at scale 1.10. GitOps and Helm 1.11. Continuous Deployment 1.12. Secrets management 2. A Vision of GitOps 2.0 2.1. Visibility into the whole software lifecycle 2 Achieving Continuous deployment and full Git automation 2.5. Built-in handling for rollbacks and secrets 2.6. Running GitOps at scale 2.7. Making the vision for GitOps 2.0 a reality 3. GitOps 2 automated process ● Deployments, tests, and rollbacks controlled through Git flow ● Integration with secrets providers ● No hand-rolled deployments: If you want to change the state you need to perform a