Scribd
Upload
67 views36 pages

Secrets Management with Vault & Rancher

Uploaded by

kolahalkarthik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
67 views36 pages

Secrets Management with Vault & Rancher

Uploaded by

kolahalkarthik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

24.

June

Secrets Management at
Scale with Vault & Rancher

Bastian Hofman Kapil Arora Robert de Bock


Senior Field Engineer Senior Solution Engineer Senior DevOps Engineer
SUSE HashiCorp Adfinis
[email protected] [email protected] [email protected]
Containers are great!

2
One self-contained, portable package for your
application

3
Containers are great……..but

Managing a couple – no problem


Containers are great……..but

How about managing How do we address:


many?
Networking, Security, Scheduling, Automation, etc?
6
Why Kubernetes ?
Common compute platform
across any infrastructure CLOUD

5G / EDGE

DATA
CENTER

DEV BRANCH
Common compute platform across any infrastructure
& a consistent set of infrastructure capabilities
✔ Common API & Packaging ✔ Backup and Recovery
✔ Health Checks/HA ✔ Autoscaling
✔ Load Balancing ✔ Service Discovery
✔ Overlay Networking ✔ Networking
✔ Network Security Policies ✔ RBAC & Access Control

DEV DATA CLOUD 5G / EDGE


BRANCH
CENTER
Kubernetes architecture
● Controlplane:
Manages the cluster
and exposes an API for
control
API / CLI
● Etcd: a key value store
used as Kubernetes’
backing store for all
cluster data.

● Worker: Runs
workloads and all of
the supporting
components.
Setting up Kubernetes is hard

10
You don’t compile Linux from scratch, you use a
distribution

11
Rancher
Kubernetes
Engine

• 100% Upstream Kubernetes


• CNCF certified
• Easy installation
• Zero-downtime upgrades
• Backup & Disaster Recovery
• Air gapped installation support

12
Kubernets clusters are great……..but

Managing a couple – no problem


Kubernetes clusters are great……..but

How about managing • Different environments


many? • Different teams
• Different hardware
• Different locations
• Edge devices
SUSE Rancher - the industry’s only platform to
manage all Kubernetes distributions
Applications 1 Applications 2 Applications 3

Platform Services (Build & Run)

Rancher Monitoring & Dashboards & Service Terraform Longhorn


Catalog Alerts Observability Mesh Operator Storage

Security & Authentication Policy Enforcement & Governance

Centralized Monitoring & CIS RBAC, OPA, Pod &


Audit Logging Benchmarking Network Policies

Simplified Cluster Operations & Infrastructure Management (Run & Manage)


K8s Version GitOps Continuous Cluster Templates & Node Pool Cluster Provisioning &
Management Delivery Config Enforcement Management Lifecycle Management

Amazon Azure Google


EKS AKS GKE

Datacenter Cloud Dev Branch Edge

SUSE Linux Enterprise Product Family


Secret Management in Kubernetes

16
17
18
Secret Management Challenges

● Secrets sprawl
● Secrets rotation
● X.509 certificates, SSH and Cloud access
● Encryption
● Multi-platform and multi-cloud
● Central control and management
● Auditing
● Compliance & Hardware Security Module
(HSM) integration
● Costs, scalability & productivity
HashiCorp Vault
Provides the foundation for cloud security that leverages trusted sources of identity to keep secrets and application data secure

● Secrets management to centrally store and


protect secrets across clouds and applications
● Data encryption to keep application data secure
across environments and workloads
● Advanced Data Protection to secure workloads
and data across traditional systems, clouds, and
infrastructure.

2T+ 1M+ 475+


Transactions Monthly D/Ls Enterprise
Weekly Customers
Source: https://www.datadoghq.com/container-report/
Source: https://www.gartner.com/en/documents/3988410/critical-capabilities-for-privileged-access-management
Vault Workflow Overview
Vault Principles
WEB UI CLI
AWS
LDAP/AD Azure
OIDC GCP
JWT API (HTTP Rest / KMIP) AliCloud
Github Kubernetes
MFA/Radius Cloud Foundry
Okta AppRole
Identity

Which secrets can I get? Policy / Governance Under what conditions?

Audit

Databases Encrypt / Decrypt


Public Cloud Format-preserving encryption
Consul / Nomad Sign / Verify
X.509 Certs Dynamic Static Secrets Crypto as a HMAC
RabbitMQ Secrets (Versioned) Service Masking
SSH / Active Key Management via KMIP
Directory
Combining Vault and Rancher

25
Vault & Rancher - Why?
• Automation: both products have a strong API.
• The combination prevents vendor lock-in.
• With Rancher and K8s a secrets engine becomes important.
Deploy Vault on Ranchers K8s clusters
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories

$ helm install vault hashicorp/vault

Stolen from https://www.vaultproject.io/docs/platform/k8s/helm


Demo deploying Vault
If demo-gods are angry: https://youtu.be/k9lpsnXQv-I
Use Ranchers K8s authentication for Vault
Vault typically uses an authentication provider, like Active Directory or
GitHub.

K8s is also an authentication provider.

This makes Vault quite easy to integrate.

Let’s review https://www.vaultproject.io/docs/auth/kubernetes


Use Secrets in Rancher Kubernetes Containers
Multiple Methods

30
Vault Agent
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "internal-app"
vault.hashicorp.com/agent-inject-secret-database-config.txt:
"internal/data/database/config"

https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar
Vault CSI (Container Storage Interface)
A Vault secret shows as a file in a mount.

https://www.vaultproject.io/docs/platform/k8s/csi
Vault & Kubernetes Summary
● Vault can be installed on Kubernetes using a
Helm Chart
● Vault supports Kubernetes authentication.
Applications can use a K8S Service Account
to authenticate and fetch secrets
● Vault can leverage Kubernetes mutating
admission webhook to intercept pods that
define specific annotations and inject a
Vault Agent container to manage these
secrets
● Mount Vault secrets as volume using secrets
store CSI driver
Conclusion
• Vault is a logical component in Ranchers K8s clusters.
• It’s easy to install Vault in K8s.
• There are sufficient methods to consume secrets.
Resources
• SUSE Rancher
• https://www.suse.com/de-de/products/suse-rancher/
• https://rancher.com/docs/rancher/v2.5/en/
• HashiCorp Vault
• https://www.vaultproject.io/docs/platform/k8s
• https://learn.hashicorp.com/collections/vault/kubernetes
Q&A
Thank You
[email protected]
www.hashicorp.com
www.adfinis.com
www.suse.com

You might also like