Can Kubernetes Keep a Secret?

Editor's Notes

• #2: Hey, good morning everyone My name is Omer I want to start this talk by showing gratitude First, to all the people who worked hard on organizing this conf and all the people who are working today so we all could enjoy it - thank you Second, I want to thank the organizers who choose me to speak here, so thank you. It is a big honor <pause> Can kubernetes keep a secret? <pause> Why? Raise you’re hand if you ever worked on a project and you had to deal with credentials: API Key, client secret, certificates etc 
• #3: What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it? But first – let me introduce myself quickly, so you could understand what are my credentials and where I’m coming from.
• #4: I’m a builder, this is what I love doing and doing it from a really early age Doing it professionally for the last 8 years I’m from Israel, married etc Who else is a builder? This talk is for you!
• #5: Today I’m working at Soluto, our missing is to help people with their technology My job is DevSecOps, or as I see it - helping the entire team to build a more secure software I’m achieving it via many approaches, including education, reviewing and threat modeling – but what I love the most is threat modeling
• #6: Big part of my work is OWASP, I’m enthusiast and familiar to many project. I contributed code to projects, mainly Zap and Glue and I’m a paid memember and project leader of Glue. Glue is a tool that helps to integrate security tools into the CI/CD pipeline – I will not have time to dive into the tool, but come talk with me later about it – I have stickers 
• #7: What you need to do is pass these credentials securely to the platform running your code, so the app in production can use it. Different platforms have different solutions to the problem (sometime good, sometime bad). This talk will focus on Kubernetes – how we can tell a secret to Kubernetes, and make sure only Kubernetes will know it?
• #8: Explain why it is a challenge – you cant expect one person to manage all secrets Why not solved it manually
• #9: Explain why it is a challenge – you cant expect one person to manage all secrets Why not solved it manually
• #10: And that’s why we love GitOps: Git is a tool that all devs are familiar with.
• #13: And we started to look for solutions. It want not an easy path, and today I want to share with you the process we want through. So, let’s start we talking on what we want.
• #19: Choose one sentence
• #20: Security is what we all here love
• #23: Security features like encryption at rest
• #24: Encoding is not encrypting Adding native approach
• #27: Add meme
• #32: Add slide with links
• #34: Laugh at my bad english
• #35: Example of 3 items/JSON representatiom
• #38: Security is what we all here love
• #41: Add the user here
• #43: Add the user here
• #45: Valut policies, policy assignment etc
• #46: Security is what we all here love
• #52: Make it more visual
• #53: Security is what we all here love
• #54: Battle tested
• #55: Add attributation
• #56: Add headlines – encryptor & decryptor
• #64: We really love Kamus, we’re been using it in production for the past 6 months
• #67: End of journey meme/image
• #68: Today I discussed 3 different solutions for secret management on Kubenretes. All are good solutions, depend on your requirments.
• #71: I started the talk by asking “Can Kubernetes keep a secret?” Now you that yes – Kubernetes can. You just need to use the right tool for you’re use case.
• #72: For us, it was Kamus What Kamus can do for you?