Vault em Kubernetes

Transcript

1. Vault em kubernetes Carol Valencia

2. tópicos - Desafios - Introdução vault - Vault na prática

   - Aplicação em kubernetes usando vault

3. desafios • Credentials stored & transmitted in Plaintext format •

   Credentials almost never get renewed once it is issued or manual renewal • No PKI Certificate Management • API Keys are hand generated and never renewed • No SSH Key storage • Lack of automation for secrets deployment • …….

4. Vault features • Secure Secret Storage • Dynamic Secrets (Secret

   as a Service) • Data Encryption • Leasing and Renewal (Key Rotation) • Revocation • Audit Control • Integration with a wide variety of Databases and Tools • …...

5. Secure secret storage • Basic Credentials • Tokens, TOTP •

   PKI Certificate Management (It’s easy to be your own certificate authority) • LDAP • SSH Keys

6. Dynamic secrets • No need to write down, store, or

   share passwords • Enables very short lived passwords, less exposure if compromised • For distributed applications, every instance gets unique credentials • Constantly changing and expiring usernames/passwords are much harder to brute force • Automatic password rotation/expiration

7. Vault http api/cli

8. Vault storage backend • Azure • CockroachDB • Consul •

   DynamoDB • Etcd • Filesystem • FoundationDB • Google Cloud Storage • In-Memory • Manta • MySQL • PostgreSQL • Cassandra • S3 • Swift • Zookeeper

9. Vault authentication

10. Vault authentication

11. Vault authorization

12. Vault authorization

13. Vault secrets

14. Vault agent

15. Demo vaults com kubernetes - Minikube - Helm - Vault:

    Hashicorp - Storage: mariadb

16. Demo vaults com kubernetes - Kubernetes: minikube start - Service

    Account: kubectl apply -f app-vault/vault-auth-sa - Config: kubectl create configmap example-vault-agent-config --from-file=./configs-k8s/ - Vault policies & secrets: bash setup-k8s-auth.sh - Deploy app: kubectl apply -f pod-example.yml --record - Test application: curl http://localhost:8080 - Validate secret: vault kv get secret/myapp/config

17. Demo Github: https://github.com/krol3/k8s-vaults/tree/master/hashicorp Video: https://www.youtube.com/watch?v=9HshlpJM5ho

18. resources - https://medium.com/@maxy_ermayank/credential-store-using- hashicorp-vault-7d2fdeed08f2 - https://github.com/hashicorp/vault-guides/tree/master/ide ntity/vault-agent-k8s-demo - https://www.youtube.com/watch?v=B16YTeSs1hI&t=1707s -

19. Linkedin: Carol Valencia Github: krol3 Email: [email protected]