Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vault em Kubernetes

Carol
May 26, 2019

Vault em Kubernetes

Explorar a ferramenta de cofres da hashicorp integrada Kubernetes.

Carol

May 26, 2019
Tweet

More Decks by Carol

Other Decks in Technology

Transcript

  1. tópicos - Desafios - Introdução vault - Vault na prática

    - Aplicação em kubernetes usando vault
  2. desafios • Credentials stored & transmitted in Plaintext format •

    Credentials almost never get renewed once it is issued or manual renewal • No PKI Certificate Management • API Keys are hand generated and never renewed • No SSH Key storage • Lack of automation for secrets deployment • …….
  3. Vault features • Secure Secret Storage • Dynamic Secrets (Secret

    as a Service) • Data Encryption • Leasing and Renewal (Key Rotation) • Revocation • Audit Control • Integration with a wide variety of Databases and Tools • …...
  4. Secure secret storage • Basic Credentials • Tokens, TOTP •

    PKI Certificate Management (It’s easy to be your own certificate authority) • LDAP • SSH Keys
  5. Dynamic secrets • No need to write down, store, or

    share passwords • Enables very short lived passwords, less exposure if compromised • For distributed applications, every instance gets unique credentials • Constantly changing and expiring usernames/passwords are much harder to brute force • Automatic password rotation/expiration
  6. Vault storage backend • Azure • CockroachDB • Consul •

    DynamoDB • Etcd • Filesystem • FoundationDB • Google Cloud Storage • In-Memory • Manta • MySQL • PostgreSQL • Cassandra • S3 • Swift • Zookeeper
  7. Demo vaults com kubernetes - Kubernetes: minikube start - Service

    Account: kubectl apply -f app-vault/vault-auth-sa - Config: kubectl create configmap example-vault-agent-config --from-file=./configs-k8s/ - Vault policies & secrets: bash setup-k8s-auth.sh - Deploy app: kubectl apply -f pod-example.yml --record - Test application: curl http://localhost:8080 - Validate secret: vault kv get secret/myapp/config