SlideShare una empresa de Scribd logo

Secrets Management and Delivery to Kubernetes Pods

S
Satish Devarapalli

We are building an application platform that is made up of ~20 microservices. Different microservices have the need to use different types of secrets (passwords, API keys, license keys, RSA keys, etc.) and these secrets are given to us by different internal/external teams. The presentation covered the need to manage secrets as code and the challenges that comes with it. One approach of solving this using Git, AWS KMS, Mozilla SOPS, Kubernetes Secrets and Helm Charts was presented.

Tecnología
1 de 27
Descargar para leer sin conexión
Secrets Management and Delivery to Kubernetes Pods Satish Devarapalli
$whoami Satish Devarapalli Cloud Platform Architect @devasat https://www.linkedin.com/in/satish-devarapalli-48a82a5/
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
Project Intro Product auth 𝞵 svc𝞵 svc ... Application Secrets ● Database Credentials ● AWS Credentials ● API Keys ● License Keys ● Encryption Keys CI/CD Secrets ● AWS Credentials ● Kube Config Files ● Encryption Keys
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ● Encryption keys management ○ Different encryption keys for environments ○ Centralized access → do not store keys locally ○ Audit usage ○ Limit key access to individual members based on environment ○ Grant and revoke access easily ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
Secrets Delivery Pipeline AWS KMSdec enc Mozilla SOPS + Dev QA Prod AWS KMS decenc Mozilla SOPS + Jenkins job runs inside a container Helm install Helm install Helm install Helm chart versions: env-config-1.0.0-101-af837dh env-config-1.0.0-102-x7jwy62
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
AWS KMS - Envelope Encryption Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html
Mozilla Secret OPerationS (SOPS) ~ > export SOPS_KMS_ARN="arn:aws:kms:us-east-1:212121:key/3434-c5f1-4040 ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html SOPS Generates 256-bit data key secret-values .dec.yaml SOPS_KMS_ARN secret-values .enc.yaml AWS Boundary
Mozilla Secret OPerationS (SOPS) secret-values.dec.yaml secret-values.enc.yaml
Mozilla Secret OPerationS (SOPS) secret-values.enc.yaml = data + encryption information Data Encryption Key ID Base64 encoded value of Encrypted Data key Message Authentication Code Prevents File Tampering JSON and YAML keys are not encrypted
Mozilla SOPS - Key Providers Microsoft Azure Key Vault SOPS_AZURE_KEYVAULT_URL Google Cloud KMS SOPS_GCP_KMS_IDS AWS KMS SOPS_KMS_ARN PGP SOPS_PGP_FP
● Supported types: JSON, YAML and Binary ● Special support for JSON and YAML files ○ Encrypts only the values ○ File extension is used to determine the type ■ secret-values.yaml.enc → binary file ■ Secret-values.enc.yaml → yaml file ○ Some YAML types (anchors, streams, top-level arrays) are not supported Mozilla SOPS - File Types Input file is treated as blob Key fingerprint Encrypted data key
Mozilla SOPS - Multiple Master Keys Shared Services Global Master Key DEV QA PROD DEV QA PROD Business Unit 1 Business Unit 2Multiple Master Key Uses: - Encryption key in master AWS account - Encryption keys in different regions - Encryption keys in different key providers (hybrid cloud) - PGP key (stored offline)
Mozilla SOPS - .sops.yaml Filename path passed to sops is matched against this regex dev/secret-values.enc.yaml ✔ dev/secret-values.dec.yaml ✔ dev/aws-credentials.dec ✔ dev/aws-credentials ❌
Mozilla SOPS - .sops.yaml At root directory ~> sops -i -e dev/secret-values.enc.yaml ✔ ~> cd dev && sops -i -e secret-values.enc.yaml ❌
Option 1: in-place edit ● Data key doesn’t change ● Only the key value that was modified appears in the git diff Mozilla SOPS - Edit Files ~ > export EDITOR=vi ~ > sops -i secret-values.enc.yaml
Option 2: decrypt and encrypt ● Data key changes ● All key values appears to have changed in git diff Mozilla SOPS - Edit Files ~ > #Decrypt ~ > sops -d secret-values.enc.yaml > secret-values.dec.yaml ~ > #Encrypt ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml
Mozilla SOPS - Diffs in Cleartext in Git ~ > cat ~/.gitattributes *.enc diff=sopsdiffer *.enc.yaml diff=sopsdiffer *.enc.json diff=sopsdiffer .gitattributes ~ > grep -A1 sops ~/.gitconfig [diff "sopsdiffer"] textconv = "sops -d" .gitconfig In my testing, this worked if .sops.yaml is at the root directory of the git project and regex expression is based on the filename but not directory name dev/secret-values.enc.yaml → dev-secret-values.enc.yaml
Mozilla SOPS - Demo ● Install SOPS ● Create and export GPG keys ● Set up .sops.yaml, folder per environment and encrypt input file ● In-place edit
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
Jenkins /jenkins/job1/ws Memory Jenkins job in a container /build /ws tmpfs bind ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes → AWS KMS ○ Secrets should not be left in plain text format on build success or failure → Docker tmpfs ○ Store encrypted kube config files and AWS credentials in Git → AWS KMS Decrypted files are stored only in /build directory Jenkins Access: - ECR - KMS - S3
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it Secrets Management Requirements
Limit Secrets Access to Microservices Separate Secret object for each credential + {{ if .Values.secret1Enabled }} - name: {{ .Values.secret.secret1 }} secret: secretName: {{ .Values.secret.secret1 }} {{ end }} +secret1Enabled: true secret2Enabled: false Helm’s values.yaml Helm’s Deployment.yaml
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it ✔ Secrets Management Requirements
Questions ?

Recomendados

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Authentification et autorisation d'accès avec AWS IAM
Authentification et autorisation d'accès avec AWS IAMAuthentification et autorisation d'accès avec AWS IAM
Authentification et autorisation d'accès avec AWS IAM
Julien SIMON
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 

Recomendados

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Authentification et autorisation d'accès avec AWS IAM
Authentification et autorisation d'accès avec AWS IAMAuthentification et autorisation d'accès avec AWS IAM
Authentification et autorisation d'accès avec AWS IAM
Julien SIMON
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Tenchi Security
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptx
zmulani8
 
Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1
Codership Oy - Creators of Galera Cluster
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
Neutron-to-Neutron: interconnecting multiple OpenStack deployments
Neutron-to-Neutron: interconnecting multiple OpenStack deploymentsNeutron-to-Neutron: interconnecting multiple OpenStack deployments
Neutron-to-Neutron: interconnecting multiple OpenStack deployments
Thomas Morin
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
[242]open stack neutron dataplane 구현
[242]open stack neutron dataplane 구현[242]open stack neutron dataplane 구현
[242]open stack neutron dataplane 구현
NAVER D2
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
Jose Manuel Ortega Candel
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
AWS Chicago
 

Más contenido relacionado

La actualidad más candente

Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Tenchi Security
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptx
zmulani8
 
Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1
Codership Oy - Creators of Galera Cluster
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
Neutron-to-Neutron: interconnecting multiple OpenStack deployments
Neutron-to-Neutron: interconnecting multiple OpenStack deploymentsNeutron-to-Neutron: interconnecting multiple OpenStack deployments
Neutron-to-Neutron: interconnecting multiple OpenStack deployments
Thomas Morin
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
[242]open stack neutron dataplane 구현
[242]open stack neutron dataplane 구현[242]open stack neutron dataplane 구현
[242]open stack neutron dataplane 구현
NAVER D2
 

La actualidad más candente (20)

Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptx
 
Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 
Neutron-to-Neutron: interconnecting multiple OpenStack deployments
Neutron-to-Neutron: interconnecting multiple OpenStack deploymentsNeutron-to-Neutron: interconnecting multiple OpenStack deployments
Neutron-to-Neutron: interconnecting multiple OpenStack deployments
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
[242]open stack neutron dataplane 구현
[242]open stack neutron dataplane 구현[242]open stack neutron dataplane 구현
[242]open stack neutron dataplane 구현
 

Similar a Secrets Management and Delivery to Kubernetes Pods

Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
Jose Manuel Ortega Candel
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
AWS Chicago
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
Federico Razzoli
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made Easy
Alfredo García Lavilla
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacks
Alkin Tezuysal
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed Secrets
Knoldus Inc.
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets Presentation
Knoldus Inc.
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment System
a3sec
 
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - MydbopsNavigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Mydbops
 
Simplify Your Code with Helmfile
Simplify Your Code with HelmfileSimplify Your Code with Helmfile
Simplify Your Code with Helmfile
Codefresh
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in Rundeck
Rundeck
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Codit
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Tom Kerkhove
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
Stenio Ferreira
 
Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets
Janakiram MSV
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
Michael Man
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 

Similar a Secrets Management and Delivery to Kubernetes Pods (20)

Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made Easy
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacks
 
Knolx_ Sealed Secrets
Knolx_ Sealed SecretsKnolx_ Sealed Secrets
Knolx_ Sealed Secrets
 
Understanding Sealed Secrets Presentation
Understanding Sealed Secrets PresentationUnderstanding Sealed Secrets Presentation
Understanding Sealed Secrets Presentation
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment System
 
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - MydbopsNavigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
Navigating MongoDB's Queryable Encryption for Ultimate Security - Mydbops
 
Simplify Your Code with Helmfile
Simplify Your Code with HelmfileSimplify Your Code with Helmfile
Simplify Your Code with Helmfile
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in Rundeck
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets Kubernetes Webinar - Using ConfigMaps & Secrets
Kubernetes Webinar - Using ConfigMaps & Secrets
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
 

Último

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 

Último (20)

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 

Secrets Management and Delivery to Kubernetes Pods

  • 1. Secrets Management and Delivery to Kubernetes Pods Satish Devarapalli
  • 2. $whoami Satish Devarapalli Cloud Platform Architect @devasat https://www.linkedin.com/in/satish-devarapalli-48a82a5/
  • 3. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 4. Project Intro Product auth 𝞵 svc𝞵 svc ... Application Secrets ● Database Credentials ● AWS Credentials ● API Keys ● License Keys ● Encryption Keys CI/CD Secrets ● AWS Credentials ● Kube Config Files ● Encryption Keys
  • 5. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ● Encryption keys management ○ Different encryption keys for environments ○ Centralized access → do not store keys locally ○ Audit usage ○ Limit key access to individual members based on environment ○ Grant and revoke access easily ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 6. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 7. Secrets Delivery Pipeline AWS KMSdec enc Mozilla SOPS + Dev QA Prod AWS KMS decenc Mozilla SOPS + Jenkins job runs inside a container Helm install Helm install Helm install Helm chart versions: env-config-1.0.0-101-af837dh env-config-1.0.0-102-x7jwy62
  • 8. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 9. AWS KMS - Envelope Encryption Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html
  • 10. Mozilla Secret OPerationS (SOPS) ~ > export SOPS_KMS_ARN="arn:aws:kms:us-east-1:212121:key/3434-c5f1-4040 ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html SOPS Generates 256-bit data key secret-values .dec.yaml SOPS_KMS_ARN secret-values .enc.yaml AWS Boundary
  • 11. Mozilla Secret OPerationS (SOPS) secret-values.dec.yaml secret-values.enc.yaml
  • 12. Mozilla Secret OPerationS (SOPS) secret-values.enc.yaml = data + encryption information Data Encryption Key ID Base64 encoded value of Encrypted Data key Message Authentication Code Prevents File Tampering JSON and YAML keys are not encrypted
  • 13. Mozilla SOPS - Key Providers Microsoft Azure Key Vault SOPS_AZURE_KEYVAULT_URL Google Cloud KMS SOPS_GCP_KMS_IDS AWS KMS SOPS_KMS_ARN PGP SOPS_PGP_FP
  • 14. ● Supported types: JSON, YAML and Binary ● Special support for JSON and YAML files ○ Encrypts only the values ○ File extension is used to determine the type ■ secret-values.yaml.enc → binary file ■ Secret-values.enc.yaml → yaml file ○ Some YAML types (anchors, streams, top-level arrays) are not supported Mozilla SOPS - File Types Input file is treated as blob Key fingerprint Encrypted data key
  • 15. Mozilla SOPS - Multiple Master Keys Shared Services Global Master Key DEV QA PROD DEV QA PROD Business Unit 1 Business Unit 2Multiple Master Key Uses: - Encryption key in master AWS account - Encryption keys in different regions - Encryption keys in different key providers (hybrid cloud) - PGP key (stored offline)
  • 16. Mozilla SOPS - .sops.yaml Filename path passed to sops is matched against this regex dev/secret-values.enc.yaml ✔ dev/secret-values.dec.yaml ✔ dev/aws-credentials.dec ✔ dev/aws-credentials ❌
  • 17. Mozilla SOPS - .sops.yaml At root directory ~> sops -i -e dev/secret-values.enc.yaml ✔ ~> cd dev && sops -i -e secret-values.enc.yaml ❌
  • 18. Option 1: in-place edit ● Data key doesn’t change ● Only the key value that was modified appears in the git diff Mozilla SOPS - Edit Files ~ > export EDITOR=vi ~ > sops -i secret-values.enc.yaml
  • 19. Option 2: decrypt and encrypt ● Data key changes ● All key values appears to have changed in git diff Mozilla SOPS - Edit Files ~ > #Decrypt ~ > sops -d secret-values.enc.yaml > secret-values.dec.yaml ~ > #Encrypt ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml
  • 20. Mozilla SOPS - Diffs in Cleartext in Git ~ > cat ~/.gitattributes *.enc diff=sopsdiffer *.enc.yaml diff=sopsdiffer *.enc.json diff=sopsdiffer .gitattributes ~ > grep -A1 sops ~/.gitconfig [diff "sopsdiffer"] textconv = "sops -d" .gitconfig In my testing, this worked if .sops.yaml is at the root directory of the git project and regex expression is based on the filename but not directory name dev/secret-values.enc.yaml → dev-secret-values.enc.yaml
  • 21. Mozilla SOPS - Demo ● Install SOPS ● Create and export GPG keys ● Set up .sops.yaml, folder per environment and encrypt input file ● In-place edit
  • 22. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 23. Jenkins /jenkins/job1/ws Memory Jenkins job in a container /build /ws tmpfs bind ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes → AWS KMS ○ Secrets should not be left in plain text format on build success or failure → Docker tmpfs ○ Store encrypted kube config files and AWS credentials in Git → AWS KMS Decrypted files are stored only in /build directory Jenkins Access: - ECR - KMS - S3
  • 24. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 25. Limit Secrets Access to Microservices Separate Secret object for each credential + {{ if .Values.secret1Enabled }} - name: {{ .Values.secret.secret1 }} secret: secretName: {{ .Values.secret.secret1 }} {{ end }} +secret1Enabled: true secret2Enabled: false Helm’s values.yaml Helm’s Deployment.yaml
  • 26. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it ✔ Secrets Management Requirements