Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vault em Kubernetes

Carol
May 26, 2019
Technology
3
190

Vault em Kubernetes

Explorar a ferramenta de cofres da hashicorp integrada Kubernetes.

Carol

May 26, 2019
Tweet

More Decks by Carol

See All by Carol
Contribute to translate K8s Docs, Glossary and CNCF-whitepaper
krol3
1
90
Vulnerabilities in Golang
krol3
0
21
DevSecOps em Aplicações, Cloud, Artefatos
krol3
2
130
Security in Cloud using Infrastructure as a Code (IaaS)
krol3
0
150
Compliance in Cloud Native
krol3
2
170
Security Opensource Tools in Cloud Native
krol3
1
190
Intro to Operators in Kubernetes
krol3
0
62
Container Security
krol3
4
300
Segurança em Kubernetes
krol3
1
190

Other Decks in Technology

See All in Technology
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
390
複雑なState管理からの脱却
sansantech
PRO
1
150
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
540
日経電子版のStoreKit2フルリニューアル
shimastripe
1
140
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
170
アジャイルチームがらしさを発揮するための目標づくり / Making the goal and enabling the team
kakehashi
3
140
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
600
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
420
Terraform Stacks入門 #HashiTalks
msato
0
360
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
430

Featured

See All Featured
Producing Creativity
orderedlist
PRO
341
39k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Practical Orchestrator
shlominoach
186
10k
Facilitating Awesome Meetings
lara
50
6.1k
Navigating Team Friction
lara
183
14k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Side Projects
sachag
452
42k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k

Transcript

  1. Vault em kubernetes Carol Valencia

  2. tópicos - Desafios - Introdução vault - Vault na prática

    - Aplicação em kubernetes usando vault

  3. desafios • Credentials stored & transmitted in Plaintext format •

    Credentials almost never get renewed once it is issued or manual renewal • No PKI Certificate Management • API Keys are hand generated and never renewed • No SSH Key storage • Lack of automation for secrets deployment • …….

  4. Vault features • Secure Secret Storage • Dynamic Secrets (Secret

    as a Service) • Data Encryption • Leasing and Renewal (Key Rotation) • Revocation • Audit Control • Integration with a wide variety of Databases and Tools • …...

  5. Secure secret storage • Basic Credentials • Tokens, TOTP •

    PKI Certificate Management (It’s easy to be your own certificate authority) • LDAP • SSH Keys

  6. Dynamic secrets • No need to write down, store, or

    share passwords • Enables very short lived passwords, less exposure if compromised • For distributed applications, every instance gets unique credentials • Constantly changing and expiring usernames/passwords are much harder to brute force • Automatic password rotation/expiration

  7. Vault http api/cli

  8. Vault storage backend • Azure • CockroachDB • Consul •

    DynamoDB • Etcd • Filesystem • FoundationDB • Google Cloud Storage • In-Memory • Manta • MySQL • PostgreSQL • Cassandra • S3 • Swift • Zookeeper

  9. Vault authentication

  10. Vault authentication

  11. Vault authorization

  12. Vault authorization

  13. Vault secrets

  14. Vault agent

  15. Demo vaults com kubernetes - Minikube - Helm - Vault:

    Hashicorp - Storage: mariadb

  16. Demo vaults com kubernetes - Kubernetes: minikube start - Service

    Account: kubectl apply -f app-vault/vault-auth-sa - Config: kubectl create configmap example-vault-agent-config --from-file=./configs-k8s/ - Vault policies & secrets: bash setup-k8s-auth.sh - Deploy app: kubectl apply -f pod-example.yml --record - Test application: curl http://localhost:8080 - Validate secret: vault kv get secret/myapp/config

  17. Demo Github: https://github.com/krol3/k8s-vaults/tree/master/hashicorp Video: https://www.youtube.com/watch?v=9HshlpJM5ho

  18. resources - https://medium.com/@maxy_ermayank/credential-store-using- hashicorp-vault-7d2fdeed08f2 - https://github.com/hashicorp/vault-guides/tree/master/ide ntity/vault-agent-k8s-demo - https://www.youtube.com/watch?v=B16YTeSs1hI&t=1707s -

  19. Linkedin: Carol Valencia Github: krol3 Email: [email protected]