Protecting Your Crown Jewels with External Secrets Operator

The presentation discusses the challenges of managing secrets in a complex IT environment and introduces the Kubernetes External Secrets Operator as a solution.

• Secrets are essential in IT environments and need to be managed securely
• Managing secrets is a complex task that requires centralization, lifecycle management, access control, integration, and tooling
• The Kubernetes External Secrets Operator is a solution that automates the process of fetching secrets from external providers and storing them as Kubernetes secrets
• The operator uses custom resources such as Secret Store and External Secret to abstract the details of the provider and the secret
• The operator is a community-driven project that has joined the CNCF as a Sandbox project

The presenter shares a story about how different projects were doing the same thing of fetching secrets from providers and storing them as Kubernetes secrets, but they were not popular and had few contributors. The Kubernetes External Secrets Operator was born out of the idea of gathering all these projects together to build one solution that does it well and to build a community out of it.

Secrets management is a difficult challenge: How do you create, rotate and manage access? And how would you even do that at scale? With External Secrets Operator you can leverage existing solutions like HashiCorp Vault or AWS Secrets Manager that manage secrets for you and integrate them with Kubernetes. Moritz and Lucas want to share their insights on how secrets management is done right in a highly regulated environment to hit the sweet spot between developer productivity and information security concerns. In this session, attendees will learn how to manage secrets in a GitOps way for self-sufficient teams to make developers, auditors and product managers happy, going over a few threat models, and showing what should be a target for concern, and should not. External Secrets Operator is a community endeavor that emerged from different open source projects that all tried to solve one problem: pull secrets from a secret management API into Kubernetes. We joined our efforts in 2020 to find a common denominator across projects to build the best solution to that problem and even go beyond that. Today, we've built a vendor-neutral community around the project and provide a consistent custom resource API across different cloud vendors and secret management APIs.