SlideShare a Scribd company logo

Your (container) secret's safe with me

Liz Rice, profile picture
Liz Rice

This document discusses secrets management in containers. It recommends that secrets be encrypted at rest and in transit, and only accessible to containers that need them with write-only access controls. Secrets should also have lifecycle management like rotation, revocation and audit logging as the risk of a leak increases over time. The document reviews secrets management in Docker, Kubernetes, DC/OS, Nomad and Aqua and notes that the best approach depends on the orchestrator and acceptable risk level.

Software
1 of 24
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Your secret’s safe with me Liz Rice @LizRice | @AquaSecTeam
2 Secrets @LizRice | @AquaSecTeam
Desirable attributes for secrets management
4 Secrets @LizRice | @AquaSecTeam Secrets photo: Katie Tegtmeyer ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory
5 Secrets @LizRice | @AquaSecTeam Secrets photo: James Case ■ Access control ■ Only accessible by containers that need them ■ And users ■ Write-only access
6 Secrets @LizRice | @AquaSecTeam Secrets photo: Irena Jackson ■ Life-cycle ■ Risk of leak increases over time ■ Rotation, revocation, audit logging
Passing secrets to containers
8 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images
9 docker run -e VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
10 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
Orchestrator support for secrets
12 Docker @LizRice | @AquaSecTeam ■ Secrets support built in for Docker Swarm services ■ Not standalone containers ■ Secret accessible when exposed to service ■ Mounted to a temporary fs (not env vars) ■ RBAC in Enterprise Edition ■ Rotation requires container restart
13 Docker @LizRice | @AquaSecTeam ■ Encrypted in Raft log ■ Lock your Swarm!! ■ Shared to Swarm managers ■ External secrets stores coming ■ Encrypted transmission with mutual authentication
14 Kubernetes secrets @LizRice | @AquaSecTeam ■ Secret configured in pod YAML ■ Mounted as a volume or configured as env var ■ Namespaced
15 Kubernetes secrets @LizRice | @AquaSecTeam ■ Stored in etcd ■ Make sure secrets are encrypted! ■ --experimental-encryption-provider-config on API Server
16 Kubernetes secrets @LizRice | @AquaSecTeam kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
17 Secrets all the way down @LizRice | @AquaSecTeam ■ EncryptionConfig holds a secret key... xkcd.com/1416
18 Kubernetes secrets access @LizRice | @AquaSecTeam ■ RBAC can be turned on --authorization-mode=RBAC # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io
19 DC/OS @LizRice | @AquaSecTeam ■ Enterprise DC/OS ■ Plug-ins for Meson/Marathon ■ Encrypted in ZooKeeper ■ Env vars ■ Access control by service path ■ Restart service to update value
20 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Tasks get tokens so they can retrieve values from Vault ■ Poll for changed values ■ Access control
21 Aqua secrets @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secret storage in 3rd party backend ■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault... ■ File system & env var support ■ Env vars injected into container process memory ■ Secret can be injected to a tempfs filesystem ■ Update secrets without restart of container ■ Auditing of secret usage ■ Limit access to designated containers ■ User access controls
Summary
23 Secrets @LizRice | @AquaSecTeam Secrets photo: Iain Merchant ■ Your best option depends on ■ Orchestrator ■ Acceptable level of risk
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. The Ultimate Guide to Secrets Management in Containers tiny.cc/secrets @LizRice | @AquaSecTeam

More Related Content

PDF
Your secret's safe with me
Liz Rice
 
PPTX
Container secrets talk from DevSecCon
Liz Rice
 
PDF
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
PPTX
Hug #9 who's keeping your secrets
Cameron More
 
PPTX
London Hug 20/6 - Vault production
London HashiCorp User Group
 
PDF
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 
PDF
Kubernetes Security
inovex GmbH
 
PDF
Kubernetes security
Thomas Fricke
 
Your secret's safe with me
Liz Rice
 
Container secrets talk from DevSecCon
Liz Rice
 
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
Hug #9 who's keeping your secrets
Cameron More
 
London Hug 20/6 - Vault production
London HashiCorp User Group
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 
Kubernetes Security
inovex GmbH
 
Kubernetes security
Thomas Fricke
 

What's hot (20)

PDF
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
PDF
Kubernetes - security you need to know about it
Haydn Johnson
 
PDF
Zombies in Kubernetes
Thomas Fricke
 
PDF
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
PDF
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
PDF
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
 
PDF
Alex Dias: how to build a docker monitoring solution
Outlyer
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
PDF
Container Security Deep Dive & Kubernetes
Aqua Security
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
PDF
Kubernetes - Security Journey
Jerry Jalava
 
PDF
BRISK_Network_Pentest_
BriskInfosec Solutions
 
PDF
Chris Rutter: Avoiding The Security Brick
Michael Man
 
ODP
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
PDF
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
PPTX
Bandit and Gosec - Security Linters
EricBrown328
 
PDF
JEE on DC/OS
Josef Adersberger
 
PPTX
Lessons Learned in Automating Compliance for Containers
All Things Open
 
PDF
What is Google Cloud Good For at DevFestInspire 2021
Robert John
 
PDF
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Cohesive Networks
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
Kubernetes - security you need to know about it
Haydn Johnson
 
Zombies in Kubernetes
Thomas Fricke
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
 
Alex Dias: how to build a docker monitoring solution
Outlyer
 
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Container Security Deep Dive & Kubernetes
Aqua Security
 
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
Kubernetes - Security Journey
Jerry Jalava
 
BRISK_Network_Pentest_
BriskInfosec Solutions
 
Chris Rutter: Avoiding The Security Brick
Michael Man
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
Bandit and Gosec - Security Linters
EricBrown328
 
JEE on DC/OS
Josef Adersberger
 
Lessons Learned in Automating Compliance for Containers
All Things Open
 
What is Google Cloud Good For at DevFestInspire 2021
Robert John
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Cohesive Networks
 
Ad

Similar to Your (container) secret's safe with me (20)

PDF
Your secret's safe with me
Aqua Security
 
PDF
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
PPTX
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
PDF
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
PPTX
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
PPTX
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
AppDynamics
 
PDF
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PDF
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Phil Estes
 
PPTX
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Patrick Chanezon
 
PDF
It's 2018. Are My Containers Secure Yet!?
Phil Estes
 
PDF
DCSF19 Containers for Beginners
Docker, Inc.
 
PDF
Redis High availability and fault tolerance in a multitenant environment
Iccha Sethi
 
PDF
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
Redis Labs
 
PPTX
Docker for Web Developers: A Sneak Peek
msyukor
 
PPTX
Secure development on Kubernetes by Andreas Falk
SBA Research
 
PPTX
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
PDF
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
PDF
Rootless Containers & Unresolved issues
Akihiro Suda
 
PPTX
Docker Security
antitree
 
PPTX
Container Monitoring with Sysdig
Sreenivas Makam
 
Your secret's safe with me
Aqua Security
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
AppDynamics
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Phil Estes
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Patrick Chanezon
 
It's 2018. Are My Containers Secure Yet!?
Phil Estes
 
DCSF19 Containers for Beginners
Docker, Inc.
 
Redis High availability and fault tolerance in a multitenant environment
Iccha Sethi
 
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
Redis Labs
 
Docker for Web Developers: A Sneak Peek
msyukor
 
Secure development on Kubernetes by Andreas Falk
SBA Research
 
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Rootless Containers & Unresolved issues
Akihiro Suda
 
Docker Security
antitree
 
Container Monitoring with Sysdig
Sreenivas Makam
 
Ad

More from Liz Rice (7)

PDF
The maths behind microscaling
Liz Rice
 
PPTX
Game of Hosts - Containers, VMs and Microscaling
Liz Rice
 
PPTX
How to build a personalized interface for VOD
Liz Rice
 
PPTX
Tank Top TV - Netflix viewing data
Liz Rice
 
PPTX
Killing the TV time grid
Liz Rice
 
PPTX
Cadbury
Liz Rice
 
PPTX
Beatz
Liz Rice
 
The maths behind microscaling
Liz Rice
 
Game of Hosts - Containers, VMs and Microscaling
Liz Rice
 
How to build a personalized interface for VOD
Liz Rice
 
Tank Top TV - Netflix viewing data
Liz Rice
 
Killing the TV time grid
Liz Rice
 
Cadbury
Liz Rice
 
Beatz
Liz Rice
 

Recently uploaded (20)

PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
PDF
CCleaner Pro 6.38.11537 Crack Final Latest Version 2025
itskinga12
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
CCleaner Pro 6.38.11537 Crack Final Latest Version 2025
itskinga12
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 

Your (container) secret's safe with me

  • 1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Your secret’s safe with me Liz Rice @LizRice | @AquaSecTeam
  • 3. Desirable attributes for secrets management
  • 4. 4 Secrets @LizRice | @AquaSecTeam Secrets photo: Katie Tegtmeyer ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory
  • 5. 5 Secrets @LizRice | @AquaSecTeam Secrets photo: James Case ■ Access control ■ Only accessible by containers that need them ■ And users ■ Write-only access
  • 6. 6 Secrets @LizRice | @AquaSecTeam Secrets photo: Irena Jackson ■ Life-cycle ■ Risk of leak increases over time ■ Rotation, revocation, audit logging
  • 7. Passing secrets to containers
  • 8. 8 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images
  • 9. 9 docker run -e VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
  • 10. 10 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
  • 12. 12 Docker @LizRice | @AquaSecTeam ■ Secrets support built in for Docker Swarm services ■ Not standalone containers ■ Secret accessible when exposed to service ■ Mounted to a temporary fs (not env vars) ■ RBAC in Enterprise Edition ■ Rotation requires container restart
  • 13. 13 Docker @LizRice | @AquaSecTeam ■ Encrypted in Raft log ■ Lock your Swarm!! ■ Shared to Swarm managers ■ External secrets stores coming ■ Encrypted transmission with mutual authentication
  • 14. 14 Kubernetes secrets @LizRice | @AquaSecTeam ■ Secret configured in pod YAML ■ Mounted as a volume or configured as env var ■ Namespaced
  • 15. 15 Kubernetes secrets @LizRice | @AquaSecTeam ■ Stored in etcd ■ Make sure secrets are encrypted! ■ --experimental-encryption-provider-config on API Server
  • 16. 16 Kubernetes secrets @LizRice | @AquaSecTeam kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
  • 17. 17 Secrets all the way down @LizRice | @AquaSecTeam ■ EncryptionConfig holds a secret key... xkcd.com/1416
  • 18. 18 Kubernetes secrets access @LizRice | @AquaSecTeam ■ RBAC can be turned on --authorization-mode=RBAC # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io
  • 19. 19 DC/OS @LizRice | @AquaSecTeam ■ Enterprise DC/OS ■ Plug-ins for Meson/Marathon ■ Encrypted in ZooKeeper ■ Env vars ■ Access control by service path ■ Restart service to update value
  • 20. 20 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Tasks get tokens so they can retrieve values from Vault ■ Poll for changed values ■ Access control
  • 21. 21 Aqua secrets @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secret storage in 3rd party backend ■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault... ■ File system & env var support ■ Env vars injected into container process memory ■ Secret can be injected to a tempfs filesystem ■ Update secrets without restart of container ■ Auditing of secret usage ■ Limit access to designated containers ■ User access controls
  • 23. 23 Secrets @LizRice | @AquaSecTeam Secrets photo: Iain Merchant ■ Your best option depends on ■ Orchestrator ■ Acceptable level of risk
  • 24. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. The Ultimate Guide to Secrets Management in Containers tiny.cc/secrets @LizRice | @AquaSecTeam