logo

Can You Keep a Secret? on Secret Management in Kubernetes

2023-04-21

Authors:   Gal Cohen, Liav Yona


Summary

The presentation discusses the importance of secure secret management in Kubernetes and provides solutions for managing secrets in a more secure way.
  • Secrets are essential for applications to function properly, but cannot be stored in Version Control Systems
  • Kubernetes Secrets are the representation of secrets in Kubernetes
  • By default, Kubernetes Secrets are stored unencrypted in etcd
  • The Secret Store CSI Driver provides a more secure solution for managing secrets in Kubernetes
  • The Secret Store CSI Driver integrates seamlessly into code and ensures robust security and least privilege access
  • Other solutions for managing secrets in Kubernetes include Vault, environment variables, and Mozilla Subs
The presenters discuss how they recently deployed a new service into production cluster that authenticated with MongoDB and put the MongoDB credentials in Kubernetes Secret, which is not the most secure solution. This anecdote highlights the importance of secure secret management in Kubernetes.

Abstract

Our applications today need to interface and communicate with many different services, and many times authenticate to these. This means just to be able to function in a modern cloud native system, applications needs to store and use sensitive data constantly - such as passwords, access keys, certificates (among other private keys), and these sensitive keys have become a core part of the code we write. We’ve learned a long time ago that we can’t have hard-coded secrets, and that’s where tools like Vault or practices like environment variables have come into play. When it comes to Kubernetes, most organizations use Kubernetes secrets by default to secure their private keys and data. However, by design and even in the docs it is clearly stated that these are stored unencrypted in the API server’s underlying data store etcd. Because we have learned the hard way that we need to protect our secrets at all costs, we will take a deep dive on the Secret Store CSI Drive. We’ll understand how it works under the hood, and with multiple credential provider support we’ll demonstrate through code examples how the CDI Driver ensures robust security, least privilege access, and integrates seamlessly into code.

Materials:

Post a comment

Related work



Conference:  Defcon 31
Authors: Tom Pohl Principal Consultant and the Penetration Testing Team Manager at LMG Security
2023-08-01