london hug 19/5 - kubernetes and vault
TRANSCRIPT
What is Kubernetes
Kubernetes is an open-source system for automating deployment, operations, and
scaling of containerized applications.
Pods: Groups of containers - Share IP and FS
Replica Sets: Controls Number of pods
Services: Access to Pods
Why Vault?
● How do Applications get Secrets?● How do Operators and Developers get Secrets?● How do secrets get Renewed? Updated? Expired? Revoked?● How do we block access to secrets?
Vault provides● Single Source for Secrets● Access via API● Access via cli● Leasing, renewal and revocation● Auditing● ACLs● Multiple client authentication methods● Secure Secret Storage
Vault Concepts
● Auth Backends○ Tokens○ Ldap○ AppId○ Github
● Secret Backends○ PKI○ AWS○ Postgres○ ssh○ ...
MongoDB Example● RC with 2 containers
○ MongoDB container: vanilla mongo with AUTH and SSL flags○ Vault-sidekick container: in charge of fetching/renewing SSL certs
1. A container runs your application2. A container fetches your secrets from Vault.
Application - POD
This is what you should do1. Create a policy for your app2. Create a Kubernetes namespace for your app3. Create a Kubernetes secret with your Vault token4. Add your secrets to Vault5. Pod starts
a. Secrets are mountedb. Pod reads vault tokenc. Pod access vault to get secretsd. Pod is ready
THEORY
Lessons Learned● Vault is young… not ready for fully automation● Deploys
○ Separating secrets and apps is great○ Make sure your process contemplates Vault
● Backends: consul, dynamo, etcd, s3...○ what happens if you lose Vault?○ latency/partitions
● Managing SSL is great but…○ Be Careful with Root CAs