SlideShare una empresa de Scribd logo

Kubernetes, Terraform, Vault, and Consul

CloudOps2005
CloudOps2005

Bart Dziekan, Kubernetes Architect and Hashistack expert at DigitalOnUs, explored the 3 essential elements of dynamic infrastructure with the Kubernetes and Cloud Native community of Ottawa at the March, 2019 meetup. His talk showed how you can create all your resources in the cloud with code that uses Terraform.

Tecnología
1 de 15
Descargar para leer sin conexión
Kubernetes + Terraform + Vault + Consul ● Bart Dziekan ● Kubernetes Architect ● bart.dziekan@digitalonus.com ● https://github.com/bartdzkan
Overview - Terraform
Overview - Vault
Overview - Vault
Consul VS Istio ISTIO ● Istio provides layer 7 features for path-based routing, traffic shaping, load balancing, and telemetry. ● Agentless ● Complex (Lots of moving parts - GKE simple install) Consul ● Consul enforces authorization and identity to layer 4 only -- either the TLS connection can be established or it can't. ● Agent Based ● Low Complexity
Vault on Kubernetes ● Vault HA - The Vault cluster is deployed in HA mode backed by Consul ● Auto-Init and Unseal - Vault is automatically initialized and unsealed at runtime. The unseal keys are encrypted with Google Cloud KMS and stored in Google Cloud Storage ● Vault supports opt-in automatic unsealing via cloud technologies: AliCloud KMS, Amazon KMS, Azure Key Vault, and Google Cloud KMS. ● Full Isolation - The Vault cluster is provisioned in it's own Kubernetes cluster ● Audit Logging - Audit logging to Stackdriver can be optionally enabled with minimal additional configuration.
Vault Auto Unseal - Init ● The vault-init service automates the process of initializing and unsealing HashiCorp Vault instances running on Google Cloud Platform. ● After vault-init initializes a Vault server it stores master keys and root tokens, encrypted using Google Cloud KMS, to a user defined Google Cloud Storage bucket. ● Usage The vault-init service is designed to be run alongside a Vault server and communicate over local host. ● Configuration The vault-init service supports the following environment variables for configuration: CHECK_INTERVAL - The time in seconds between Vault health checks. (300) GCS_BUCKET_NAME - The Google Cloud Storage Bucket where the vault master key and root token is stored. KMS_KEY_ID - The Google Cloud KMS key ID used to encrypt and decrypt the vault master key and root token.
Vault Auth Kubernetes
Benefits of Cloud KMS Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services. ● Set keys to automatically rotate regularly ● Manage Cloud IAM permissions for user-level permissions on individual keys and grant access to both individual users and service accounts. ● Help satisfy compliance needs ● Cloud KMS has a built-in 24-hour delay for key material destruction, to prevent accidental or malicious data loss.
Overview - Architecture
Kubernetes, Terraform, Vault, and Consul

Recomendados

Introduction to OpenStack Cinder
Introduction to OpenStack CinderIntroduction to OpenStack Cinder
Introduction to OpenStack Cinder
Sean McGinnis
 
Securing open stack for compliance
Securing open stack for complianceSecuring open stack for compliance
Securing open stack for compliance
Tomasz Zen Napierala
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
inovex GmbH
 
Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0
Anshul Patel
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio Security
Matt Baldwin
 
Luigi Hostplumber intro slide.pptx (1).pdf
Luigi Hostplumber intro slide.pptx (1).pdfLuigi Hostplumber intro slide.pptx (1).pdf
Luigi Hostplumber intro slide.pptx (1).pdf
LibbySchulze
 
DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack
buildacloud
 
end-to-end-encryption-enroute-linkerd (1).pdf
end-to-end-encryption-enroute-linkerd (1).pdfend-to-end-encryption-enroute-linkerd (1).pdf
end-to-end-encryption-enroute-linkerd (1).pdf
LibbySchulze
 

Recomendados

Introduction to OpenStack Cinder
Introduction to OpenStack CinderIntroduction to OpenStack Cinder
Introduction to OpenStack Cinder
Sean McGinnis
 
Securing open stack for compliance
Securing open stack for complianceSecuring open stack for compliance
Securing open stack for compliance
Tomasz Zen Napierala
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
inovex GmbH
 
Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0
Anshul Patel
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio Security
Matt Baldwin
 
Luigi Hostplumber intro slide.pptx (1).pdf
Luigi Hostplumber intro slide.pptx (1).pdfLuigi Hostplumber intro slide.pptx (1).pdf
Luigi Hostplumber intro slide.pptx (1).pdf
LibbySchulze
 
DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack
buildacloud
 
end-to-end-encryption-enroute-linkerd (1).pdf
end-to-end-encryption-enroute-linkerd (1).pdfend-to-end-encryption-enroute-linkerd (1).pdf
end-to-end-encryption-enroute-linkerd (1).pdf
LibbySchulze
 
Kubermatic CNCF Webinar - start.kubermatic.pdf
Kubermatic CNCF Webinar - start.kubermatic.pdfKubermatic CNCF Webinar - start.kubermatic.pdf
Kubermatic CNCF Webinar - start.kubermatic.pdf
LibbySchulze
 
Criteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech TalkCriteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech Talk
Pierre Mavro
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Anshul Patel
 
oVirt Introduction
oVirt IntroductionoVirt Introduction
oVirt Introduction
Roozbeh Shafiee
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStack
Victor Zhang
 
Introducing OpenStack for Beginners
Introducing OpenStack for Beginners Introducing OpenStack for Beginners
Introducing OpenStack for Beginners
openstackindia
 
Changing the world with ZeroVM and Swift
Changing the world with ZeroVM and SwiftChanging the world with ZeroVM and Swift
Changing the world with ZeroVM and Swift
Jakub Krajcovic
 
DevOps and OpenStack December 2012
DevOps and OpenStack December 2012DevOps and OpenStack December 2012
DevOps and OpenStack December 2012
Matt Ray
 
Containerized Storage for Containers: Why, What and How OpenEBS Works
Containerized Storage for Containers: Why, What and How OpenEBS WorksContainerized Storage for Containers: Why, What and How OpenEBS Works
Containerized Storage for Containers: Why, What and How OpenEBS Works
Matt Baldwin
 
WSO2 Microservices Framework for Java - Product Overview
WSO2 Microservices Framework for Java - Product OverviewWSO2 Microservices Framework for Java - Product Overview
WSO2 Microservices Framework for Java - Product Overview
WSO2
 
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief ComparisonCloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
bizalgo
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
CoreOS Battle Stories
CoreOS Battle StoriesCoreOS Battle Stories
CoreOS Battle Stories
Kontena, Inc.
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
Neependra Khare
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
Kasun Madura Rathnayaka
 
Virtualized containers
Virtualized containersVirtualized containers
Virtualized containers
Ananth Padmanabhan
 
Dev cloud
Dev cloudDev cloud
Dev cloud
Rajesh Battala
 
Introduction to WSO2 Private PaaS 4.1.0
Introduction to WSO2 Private PaaS 4.1.0Introduction to WSO2 Private PaaS 4.1.0
Introduction to WSO2 Private PaaS 4.1.0
Imesh Gunaratne
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon Riggs
Fuenteovejuna
 
Google Cloud Container Security Quick Overview
Google Cloud Container Security Quick OverviewGoogle Cloud Container Security Quick Overview
Google Cloud Container Security Quick Overview
Krishna-Kumar
 
Hardening Kubernetes Cluster
Hardening Kubernetes ClusterHardening Kubernetes Cluster
Hardening Kubernetes Cluster
Knoldus Inc.
 

Más contenido relacionado

La actualidad más candente

Introducing OpenStack for Beginners
Introducing OpenStack for Beginners Introducing OpenStack for Beginners
Introducing OpenStack for Beginners
openstackindia
 
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief ComparisonCloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
bizalgo
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon Riggs
Fuenteovejuna
 

La actualidad más candente (20)

Kubermatic CNCF Webinar - start.kubermatic.pdf
Kubermatic CNCF Webinar - start.kubermatic.pdfKubermatic CNCF Webinar - start.kubermatic.pdf
Kubermatic CNCF Webinar - start.kubermatic.pdf
 
Criteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech TalkCriteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech Talk
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
oVirt Introduction
oVirt IntroductionoVirt Introduction
oVirt Introduction
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStack
 
Introducing OpenStack for Beginners
Introducing OpenStack for Beginners Introducing OpenStack for Beginners
Introducing OpenStack for Beginners
 
Changing the world with ZeroVM and Swift
Changing the world with ZeroVM and SwiftChanging the world with ZeroVM and Swift
Changing the world with ZeroVM and Swift
 
DevOps and OpenStack December 2012
DevOps and OpenStack December 2012DevOps and OpenStack December 2012
DevOps and OpenStack December 2012
 
Containerized Storage for Containers: Why, What and How OpenEBS Works
Containerized Storage for Containers: Why, What and How OpenEBS WorksContainerized Storage for Containers: Why, What and How OpenEBS Works
Containerized Storage for Containers: Why, What and How OpenEBS Works
 
WSO2 Microservices Framework for Java - Product Overview
WSO2 Microservices Framework for Java - Product OverviewWSO2 Microservices Framework for Java - Product Overview
WSO2 Microservices Framework for Java - Product Overview
 
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief ComparisonCloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
CloudStack vs OpenStack vs Eucalyptus: IaaS Private Cloud Brief Comparison
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
CoreOS Battle Stories
CoreOS Battle StoriesCoreOS Battle Stories
CoreOS Battle Stories
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 
Virtualized containers
Virtualized containersVirtualized containers
Virtualized containers
 
Dev cloud
Dev cloudDev cloud
Dev cloud
 
Introduction to WSO2 Private PaaS 4.1.0
Introduction to WSO2 Private PaaS 4.1.0Introduction to WSO2 Private PaaS 4.1.0
Introduction to WSO2 Private PaaS 4.1.0
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon Riggs
 

Similar a Kubernetes, Terraform, Vault, and Consul

Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
ContainerDay Security 2023
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Tom Kerkhove
 

Similar a Kubernetes, Terraform, Vault, and Consul (20)

Google Cloud Container Security Quick Overview
Google Cloud Container Security Quick OverviewGoogle Cloud Container Security Quick Overview
Google Cloud Container Security Quick Overview
 
Hardening Kubernetes Cluster
Hardening Kubernetes ClusterHardening Kubernetes Cluster
Hardening Kubernetes Cluster
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
 
Deploying WSO2 API Manager in Production-Grade Kubernetes
Deploying WSO2 API Manager in Production-Grade KubernetesDeploying WSO2 API Manager in Production-Grade Kubernetes
Deploying WSO2 API Manager in Production-Grade Kubernetes
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
Experts Live Europe 2017 - VSTS / TFS automated Release Pipelines for Web App...
Experts Live Europe 2017 - VSTS / TFS automated Release Pipelines for Web App...Experts Live Europe 2017 - VSTS / TFS automated Release Pipelines for Web App...
Experts Live Europe 2017 - VSTS / TFS automated Release Pipelines for Web App...
 
Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...
 
Kubernetes best practices with GKE
Kubernetes best practices with GKEKubernetes best practices with GKE
Kubernetes best practices with GKE
 

Más de CloudOps2005

Más de CloudOps2005 (20)

Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
 
Human No, Machine Yes: Welcome to the CDF with Incremental Confidence
Human No, Machine Yes: Welcome to the CDF with Incremental ConfidenceHuman No, Machine Yes: Welcome to the CDF with Incremental Confidence
Human No, Machine Yes: Welcome to the CDF with Incremental Confidence
 
The Salmon Algorithm Spawning with Kubernetes
The Salmon Algorithm Spawning with KubernetesThe Salmon Algorithm Spawning with Kubernetes
The Salmon Algorithm Spawning with Kubernetes
 
Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019
Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019
Own your Destiny in the Cloud - Ian Rae - Cloud Native Day Montreal 2019
 
Plateformes et infrastructure infonuagique natif de ville de Montréall
Plateformes et infrastructure infonuagique natif de ville de MontréallPlateformes et infrastructure infonuagique natif de ville de Montréall
Plateformes et infrastructure infonuagique natif de ville de Montréall
 
Using Rook to Manage Kubernetes Storage with Ceph
Using Rook to Manage Kubernetes Storage with CephUsing Rook to Manage Kubernetes Storage with Ceph
Using Rook to Manage Kubernetes Storage with Ceph
 
Kafka on Kubernetes
Kafka on KubernetesKafka on Kubernetes
Kafka on Kubernetes
 
Kubernetes: Crossing the Chasm
Kubernetes: Crossing the ChasmKubernetes: Crossing the Chasm
Kubernetes: Crossing the Chasm
 
Distributed Logging with Kubernetes
Distributed Logging with KubernetesDistributed Logging with Kubernetes
Distributed Logging with Kubernetes
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
Advanced Deployment Strategies with Kubernetes and Istio
Advanced Deployment Strategies with Kubernetes and IstioAdvanced Deployment Strategies with Kubernetes and Istio
Advanced Deployment Strategies with Kubernetes and Istio
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
 
Kubernetes Services are sooo Yesterday!
Kubernetes Services are sooo Yesterday!Kubernetes Services are sooo Yesterday!
Kubernetes Services are sooo Yesterday!
 
Amazon EKS: the good, the bad, and the ugly
Amazon EKS: the good, the bad, and the uglyAmazon EKS: the good, the bad, and the ugly
Amazon EKS: the good, the bad, and the ugly
 
SIG Multicluster and the Path to Federation
SIG Multicluster and the Path to FederationSIG Multicluster and the Path to Federation
SIG Multicluster and the Path to Federation
 
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
To Russia with Love: Deploying Kubernetes in Exotic Locations On PremTo Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using Go
 
How to Handle your Kubernetes Upgrades
How to Handle your Kubernetes UpgradesHow to Handle your Kubernetes Upgrades
How to Handle your Kubernetes Upgrades
 
Kubernetes and Cloud Native Meetup - March, 2019
Kubernetes and Cloud Native Meetup - March, 2019Kubernetes and Cloud Native Meetup - March, 2019
Kubernetes and Cloud Native Meetup - March, 2019
 
Prometheus and Thanos
Prometheus and ThanosPrometheus and Thanos
Prometheus and Thanos
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Kubernetes, Terraform, Vault, and Consul

  • 1. Kubernetes + Terraform + Vault + Consul ● Bart Dziekan ● Kubernetes Architect ● bart.dziekan@digitalonus.com ● https://github.com/bartdzkan
  • 2.
  • 3.
  • 5.
  • 7.
  • 9. Consul VS Istio ISTIO ● Istio provides layer 7 features for path-based routing, traffic shaping, load balancing, and telemetry. ● Agentless ● Complex (Lots of moving parts - GKE simple install) Consul ● Consul enforces authorization and identity to layer 4 only -- either the TLS connection can be established or it can't. ● Agent Based ● Low Complexity
  • 10. Vault on Kubernetes ● Vault HA - The Vault cluster is deployed in HA mode backed by Consul ● Auto-Init and Unseal - Vault is automatically initialized and unsealed at runtime. The unseal keys are encrypted with Google Cloud KMS and stored in Google Cloud Storage ● Vault supports opt-in automatic unsealing via cloud technologies: AliCloud KMS, Amazon KMS, Azure Key Vault, and Google Cloud KMS. ● Full Isolation - The Vault cluster is provisioned in it's own Kubernetes cluster ● Audit Logging - Audit logging to Stackdriver can be optionally enabled with minimal additional configuration.
  • 11. Vault Auto Unseal - Init ● The vault-init service automates the process of initializing and unsealing HashiCorp Vault instances running on Google Cloud Platform. ● After vault-init initializes a Vault server it stores master keys and root tokens, encrypted using Google Cloud KMS, to a user defined Google Cloud Storage bucket. ● Usage The vault-init service is designed to be run alongside a Vault server and communicate over local host. ● Configuration The vault-init service supports the following environment variables for configuration: CHECK_INTERVAL - The time in seconds between Vault health checks. (300) GCS_BUCKET_NAME - The Google Cloud Storage Bucket where the vault master key and root token is stored. KMS_KEY_ID - The Google Cloud KMS key ID used to encrypt and decrypt the vault master key and root token.
  • 13. Benefits of Cloud KMS Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services. ● Set keys to automatically rotate regularly ● Manage Cloud IAM permissions for user-level permissions on individual keys and grant access to both individual users and service accounts. ● Help satisfy compliance needs ● Cloud KMS has a built-in 24-hour delay for key material destruction, to prevent accidental or malicious data loss.