A Confidential Story of Well-Kept Secrets

The presentation discusses the importance of secure secret strategies in Kubernetes and highlights the vulnerabilities around the storage, sharing, and consumption of secrets in Kubernetes.

• The best-kept secrets are the ones we've never heard of or told others about
• A secure secret strategy in Kubernetes depends on addressing questions such as where the secret is kept, who needs to know about it, how it gets shared, and how to prevent it from being easily interpreted
• The vulnerabilities around the storage, sharing, and consumption of secrets in Kubernetes are well known and more likely to be exploited
• The presentation shares a real-world project's Kubernetes secret strategy in relation to these questions and how to develop a framework for a secure secret lifecycle in Kubernetes environments
• The presentation includes a demo using ESO, ArgoCD, and OPA Gatekeeper

The presenter shares an anecdote about being part of a team responsible for migrating a microservice-based project into the Kubernetes environment. They needed to find a way of storing sensitive database credentials and came across the concept of secrets in Kubernetes. However, they soon found out that secrets are not encrypted by default, leading to vulnerabilities and risks. The team had to go back to the Panic Room and figure out the main risks and vulnerabilities of storing secrets in Kubernetes.

For generations, secrets have been kept, shared, and exposed. Most would agree that the best-kept secrets are the ones we've never heard of or told others about. The concepts that revolve around maintaining safe secrets are universal and stem from addressing these questions: "Where is the secret kept?", "Who needs to know about the secret?", "How does the secret get shared with the relevant parties?", and "How do you prevent the secret from being easily interpreted?" The answers can help you create a secure lifecycle for storing, sharing, and consuming secrets. In Kubernetes, a secure secret strategy depends on the answers to these same questions. Now more than ever, the vulnerabilities around the storage, sharing, and consumption of secrets in Kubernetes are well known, and as a result, more likely to be exploited. In this talk, Lukonde Mwila will share why addressing these questions can optimize managing sensitive data in Kubernetes. In addition, he'll highlight details of a Kubernetes secret strategy from a real-world project in relation to these questions. Lastly, he'll share how answers to these questions can be used to develop a framework for a secure secret lifecycle in Kubernetes environments with a demo using ESO, ArgoCD, and OPA Gatekeeper.