Kuberetes Secret vs. Vault


General Recommendations
  1. Use kubernetes Secret if
    • Secrets does not change often and are used exclusively within kubernetes
    • Use secrets for things which are actually secret like API keys, credentials, etc
    • Use config map for not-secret configuration data
  2. Use Vault with K8S Authentication method if: 
    • secrets need to be used outside of kubernetes containers


Solution comparison chart

K8S Secret
Vault with K8S
Vault with K8S Auth method
Do we need to provision secret zero to our app/cluster in order to bootstrap trust?
Yes, database encryption key and tls certs need to be provisioned to setup the K8S cluster via other means
K8S Vault Controller need to be authenticated with Vault. 
Authentication need to be setup between Vault and K8S.
Is it cloud provider agnostic? 
Yes, but limited to app running in containers managed by K8S
Yes, but relies on Hashicorp Vault
Relies on Hashicorp Vault
Amount of effort to integrate into application
Little, K8S cluster need to be secured
Moderate, require Vault and Controllers
Little
Recommended scenarios
Good for containers orchestrated by Kubernetes. Secrets are not used anywhere else. Require other means to provision database encryption key
Good for secrets required to be shared across platforms. Integration with K8S is possible via open source projects.
Best for secrets required to be shared across platforms. Simple integration makes this the best way to manage secrets on K8S



Kubernetes Secret Management

Kubernetes secret management 
  • K8S Secret 
  • H Vault integration using open source projects 
  • H Vault integration using K8S Auth Method 

Secret management solutions

Kubernetes Secrets flow
  • Admin creates a secret via kubectl, that makes create secret request to the API Server
  • Secrets are written to database
  • Secrets are provisioned to the slave node that’s running the container
  • Secrets are mounted as volume or injected to the environment variable of the target container

Kubernetes secrets and some gotchas 
  • Secrets can be provisioned to a container or a namespace, containers under the namespace have access to the secrets under the same NS.
  • Secrets are written to a tempFS which are deleted on pod terminition. 
  • Secrets are size limited to 1Mb
  • Make sure all secrets are created before referencing in containers, otherwise the Pod will hang because container has trouble mounting secret volume
  • Only possible to mount one secret per directory. Mounting a secret will mask the content of the directory. 

Kubernetes Secrets summary
  • Secret auditing with Kubernetes Audit
  • Revocation and rotation can be done by deleting and recreating secrets 
  • Easy to use and tightly integrated to kubernetes

Comments

Post a Comment

Popular posts from this blog

AWS Auto AMI(Instance) backup across all region

Simple Easy to AWS auto AMI backup across all region or cross region using lambda (node js) Click Here For Code Getting Started These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system. Prerequisites What things you need to install the software AWS Lambda AWS Sdk Click Here For Code Installing A step by step series of examples that tell you how to get a development env running Make Policy Using File iam-policy.json Make Role Using File role-trust-policy.json Assign or attach policy to Role Create Two 2 New Lambda Function And Assign Role That you made Use Code From File for Lambda Functions 1. Create_AMI.js 2. Delete_AMI.js Running the tests Run Lambda Function And Check For Snap Shot and AMI Full Automation Using Cloud Watch Use Cloud Watch Event as Trigger To Make Full Automation of Backup System From ...
Read more

Digital-ocean-auto volume backup

For Code Click Here ...! https://github.com/harsh4870/Digital-ocean-auto-volume-backup Digital ocean auto volume backup shell script.Currently, it will keep 2 newest snapshots. If you want to config this, change the value. What does this script do ? Since DigitalOcean currently didn't provide auto backup for the volume. So, i created the script to call DigitalOcean API and creating volume's snapshot. After successfully created, it will delete the old snapshot. Currently, it will keep 2 newest snapshots. If you want to config this, change the value. Digital ocean API documentation :  https://developers.digitalocean.com/documentation/v2/#introduction Dependency ./jq library Download from :  https://stedolan.github.io/jq/ Linux : sudo apt-get install jq Script use : Config your parameter in snapshot.sh Set cronjob to execute snapshot.sh Parameter : DIGITALOCEAN_TOKEN VOLUME_ID VOLUME_NAME SNAPSHOT_NAME DATE List Down all volumes without jq ...
Read more

How to Set Up an Nginx Ingress with Cert-Manager on DigitalOcean Kubernetes

Introduction Kubernetes  Ingresses  allow you to flexibly route traffic from outside your Kubernetes cluster to Services inside of your cluster. This is accomplished using Ingress  Resources , which define rules for routing HTTP and HTTPS traffic to Kubernetes Services, and Ingress  Controllers , which implement the rules by load balancing traffic and routing it to the appropriate backend Services. Popular Ingress Controllers include  Nginx ,  Contour ,  HAProxy , and  Traefik . Ingresses provide a more efficient and flexible alternative to setting up multiple LoadBalancer services, each of which uses its own dedicated Load Balancer. In this guide, we'll set up the Kubernetes-maintained  Nginx Ingress Controller , and create some Ingress Resources to route traffic to several dummy backend services. Once we've set up the Ingress, we'll install  cert-manager  into our cluster to manage and provision TLS certificates for encrypti...
Read more