SlideShare a Scribd company logo

Container secrets talk from DevSecCon

Download as PPTX, PDF
Liz Rice, profile picture
Liz Rice

The document discusses best practices for managing secrets in containerized environments, emphasizing encryption, access control, and lifecycle management of secrets. It covers various orchestration platforms like Docker, Kubernetes, and Nomad, detailing their respective approaches to secret management, including built-in support and integration with external storage like HashiCorp Vault. Key recommendations include avoiding the exposure of secrets in source code and environment variables, ensuring secure configurations, and implementing role-based access control.

Software
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Join the conversation #DevSecCon Your (container) secret’s safe with me Liz Rice, Aqua Security @lizrice
2 Secrets @LizRice | @AquaSecTeam
3 Secrets @LizRice | @AquaSecTeam Secret store Cluster
Desirable attributes for secrets management
5 Secrets @LizRice | @AquaSecTeam Secrets photo: Katie Tegtmeyer ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory
6 Secrets @LizRice | @AquaSecTeam Secrets photo: James Case ■ Access control ■ Only accessible by containers that need them ■ And users ■ Write-only access
7 Secrets @LizRice | @AquaSecTeam Secrets photo: Irena Jackson ■ Life-cycle ■ Risk of leak increases over time ■ Rotation, revocation, audit logging
Passing secrets to containers
9 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images
10 docker run -e VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
11 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Environment variables @LizRice | @AquaSecTeam
12 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
13 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Mounted volume @LizRice | @AquaSecTeam
Orchestrator support for secrets
15 Docker @LizRice | @AquaSecTeam ■ Secrets support built in for Docker Swarm services ■ Not standalone containers ■ Encrypted transmission with mutual authentication ■ Secret accessible when exposed to service ■ Mounted to a temporary fs (not env vars) ■ RBAC in Enterprise Edition
16 Docker @LizRice | @AquaSecTeam ■ Encrypted in Raft log ■ Lock your Swarm!! ■ Shared to Swarm managers ■ Audit log with events ■ Rotation requires container restart & secret dance Encrypted ✓ Access control ✓ Life-cycle ?
17 Kubernetes secrets @LizRice | @AquaSecTeam ■ Secret configured in pod YAML ■ Namespaced ■ RBAC can be turned on --authorization-mode=RBAC ■ Files and env vars ■ Files support updating secret values ■ Need to restart pod to get new env var value
18 Kubernetes secrets @LizRice | @AquaSecTeam ■ Stored in etcd ■ Make sure secrets are encrypted! ■ --experimental-encryption-provider-config on API Server Encrypted ? Access control ✓ Life-cycle ✓
19 Kubernetes secrets @LizRice | @AquaSecTeam kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
20 Secrets all the way down @LizRice | @AquaSecTeam ■ EncryptionConfig holds a secret key... xkcd.com/1416
21 DC/OS @LizRice | @AquaSecTeam ■ Enterprise DC/OS ■ Plug-ins for Mesos/Marathon ■ Encrypted in ZooKeeper ■ Env vars ■ Access control by service path ■ Restart service to update value Encrypted ✓ Access control ✓ Life-cycle ?
22 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Use production mode ■ Encryption & security primitives
23 Nomad @LizRice | @AquaSecTeam ■ Secrets passed as files ■ Nomad takes care of interactions with Vault ■ Tasks get tokens so they can retrieve values ■ Poll for changed values ■ Access control ■ Audit logging Encrypted ✓ Access control ✓ Life-cycle ✓
24 Aqua secrets & external store @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secret storage in 3rd party backend ■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...
25 Aqua secrets & external store @LizRice | @AquaSecTeam ■ File system & env var support ■ Update secrets without container restart ■ No env var leak through inspect or /proc ■ Auditing of secret usage ■ User & container access control Encrypted ✓ Access control ✓ Life-cycle ✓
Summary
27 Secrets @LizRice | @AquaSecTeam Secrets photo: Iain Merchant ■ Access secrets at runtime ■ Not built in ■ Rotate secrets ■ Your best option depends on ■ Orchestrator ■ Acceptable level of risk
Join the conversation #DevSecCon The Ultimate Guide to Secrets Management in Containers tiny.cc/secrets @LizRice | @AquaSecTeam
29 Kubernetes secrets access @LizRice | @AquaSecTeam ■ RBAC can be turned on --authorization-mode=RBAC # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io

More Related Content

PDF
Your (container) secret's safe with me
Liz Rice
 
PDF
Your secret's safe with me
Liz Rice
 
PPTX
Hug #9 who's keeping your secrets
Cameron More
 
PDF
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
PPTX
London Hug 20/6 - Vault production
London HashiCorp User Group
 
PDF
Kubernetes Security
inovex GmbH
 
PDF
Kubernetes - security you need to know about it
Haydn Johnson
 
PDF
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
Your (container) secret's safe with me
Liz Rice
 
Your secret's safe with me
Liz Rice
 
Hug #9 who's keeping your secrets
Cameron More
 
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
London Hug 20/6 - Vault production
London HashiCorp User Group
 
Kubernetes Security
inovex GmbH
 
Kubernetes - security you need to know about it
Haydn Johnson
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 

What's hot (20)

PDF
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 
PDF
Zombies in Kubernetes
Thomas Fricke
 
PDF
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
PDF
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
 
PDF
Alex Dias: how to build a docker monitoring solution
Outlyer
 
PDF
Container Security Deep Dive & Kubernetes
Aqua Security
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
PDF
Kubernetes - Security Journey
Jerry Jalava
 
PDF
Mastering kubernetes ingress nginx
Sidhartha Mani
 
PDF
Lessons learned and challenges faced while running Kubernetes at Scale
Sidhartha Mani
 
PDF
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
PDF
Chris Rutter: Avoiding The Security Brick
Michael Man
 
PPTX
Bandit and Gosec - Security Linters
EricBrown328
 
PDF
JEE on DC/OS
Josef Adersberger
 
ODP
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
PDF
BRISK_Network_Pentest_
BriskInfosec Solutions
 
PPTX
Security best practices for kubernetes deployment
Michael Cherny
 
PPTX
Lessons Learned in Automating Compliance for Containers
All Things Open
 
PDF
Container Security
Jie Liau
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 
Zombies in Kubernetes
Thomas Fricke
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
 
Alex Dias: how to build a docker monitoring solution
Outlyer
 
Container Security Deep Dive & Kubernetes
Aqua Security
 
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Kubernetes - Security Journey
Jerry Jalava
 
Mastering kubernetes ingress nginx
Sidhartha Mani
 
Lessons learned and challenges faced while running Kubernetes at Scale
Sidhartha Mani
 
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
Chris Rutter: Avoiding The Security Brick
Michael Man
 
Bandit and Gosec - Security Linters
EricBrown328
 
JEE on DC/OS
Josef Adersberger
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
BRISK_Network_Pentest_
BriskInfosec Solutions
 
Security best practices for kubernetes deployment
Michael Cherny
 
Lessons Learned in Automating Compliance for Containers
All Things Open
 
Container Security
Jie Liau
 
Ad

Similar to Container secrets talk from DevSecCon (20)

PDF
Your secret's safe with me
Aqua Security
 
PPTX
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
AppDynamics
 
PDF
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
PPTX
Secure development on Kubernetes by Andreas Falk
SBA Research
 
PDF
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
PPTX
Container Monitoring with Sysdig
Sreenivas Makam
 
PDF
Caching reboot: javax.cache & Ehcache 3
Louis Jacomet
 
PPTX
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
PDF
Dockertaipei 20150528-dockerswarm
Wei-Ting Kuo
 
PPTX
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
PDF
Discover some "Big Data" architectural concepts with Redis
Maturin BADO
 
PDF
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Alessandro Gallotta
 
PDF
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PDF
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
PPTX
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
PDF
The Concierge Paradigm
Gareth Brown
 
PPTX
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
PDF
Commit 2024 Secrets Management Made Easy
Alfredo García Lavilla
 
PDF
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
PDF
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Your secret's safe with me
Aqua Security
 
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
AppDynamics
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Secure development on Kubernetes by Andreas Falk
SBA Research
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
Container Monitoring with Sysdig
Sreenivas Makam
 
Caching reboot: javax.cache & Ehcache 3
Louis Jacomet
 
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
Dockertaipei 20150528-dockerswarm
Wei-Ting Kuo
 
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
Discover some "Big Data" architectural concepts with Redis
Maturin BADO
 
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Alessandro Gallotta
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
The Concierge Paradigm
Gareth Brown
 
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
Commit 2024 Secrets Management Made Easy
Alfredo García Lavilla
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Ad

More from Liz Rice (7)

PDF
The maths behind microscaling
Liz Rice
 
PPTX
Game of Hosts - Containers, VMs and Microscaling
Liz Rice
 
PPTX
How to build a personalized interface for VOD
Liz Rice
 
PPTX
Tank Top TV - Netflix viewing data
Liz Rice
 
PPTX
Killing the TV time grid
Liz Rice
 
PPTX
Cadbury
Liz Rice
 
PPTX
Beatz
Liz Rice
 
The maths behind microscaling
Liz Rice
 
Game of Hosts - Containers, VMs and Microscaling
Liz Rice
 
How to build a personalized interface for VOD
Liz Rice
 
Tank Top TV - Netflix viewing data
Liz Rice
 
Killing the TV time grid
Liz Rice
 
Cadbury
Liz Rice
 
Beatz
Liz Rice
 

Recently uploaded (20)

PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
System and Network Administraation Chapter 3
jaramharo
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 

Container secrets talk from DevSecCon

  • 1. Join the conversation #DevSecCon Your (container) secret’s safe with me Liz Rice, Aqua Security @lizrice
  • 4. Desirable attributes for secrets management
  • 5. 5 Secrets @LizRice | @AquaSecTeam Secrets photo: Katie Tegtmeyer ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory
  • 6. 6 Secrets @LizRice | @AquaSecTeam Secrets photo: James Case ■ Access control ■ Only accessible by containers that need them ■ And users ■ Write-only access
  • 7. 7 Secrets @LizRice | @AquaSecTeam Secrets photo: Irena Jackson ■ Life-cycle ■ Risk of leak increases over time ■ Rotation, revocation, audit logging
  • 8. Passing secrets to containers
  • 9. 9 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images
  • 10. 10 docker run -e VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
  • 11. 11 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Environment variables @LizRice | @AquaSecTeam
  • 12. 12 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
  • 13. 13 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Mounted volume @LizRice | @AquaSecTeam
  • 15. 15 Docker @LizRice | @AquaSecTeam ■ Secrets support built in for Docker Swarm services ■ Not standalone containers ■ Encrypted transmission with mutual authentication ■ Secret accessible when exposed to service ■ Mounted to a temporary fs (not env vars) ■ RBAC in Enterprise Edition
  • 16. 16 Docker @LizRice | @AquaSecTeam ■ Encrypted in Raft log ■ Lock your Swarm!! ■ Shared to Swarm managers ■ Audit log with events ■ Rotation requires container restart & secret dance Encrypted ✓ Access control ✓ Life-cycle ?
  • 17. 17 Kubernetes secrets @LizRice | @AquaSecTeam ■ Secret configured in pod YAML ■ Namespaced ■ RBAC can be turned on --authorization-mode=RBAC ■ Files and env vars ■ Files support updating secret values ■ Need to restart pod to get new env var value
  • 18. 18 Kubernetes secrets @LizRice | @AquaSecTeam ■ Stored in etcd ■ Make sure secrets are encrypted! ■ --experimental-encryption-provider-config on API Server Encrypted ? Access control ✓ Life-cycle ✓
  • 19. 19 Kubernetes secrets @LizRice | @AquaSecTeam kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
  • 20. 20 Secrets all the way down @LizRice | @AquaSecTeam ■ EncryptionConfig holds a secret key... xkcd.com/1416
  • 21. 21 DC/OS @LizRice | @AquaSecTeam ■ Enterprise DC/OS ■ Plug-ins for Mesos/Marathon ■ Encrypted in ZooKeeper ■ Env vars ■ Access control by service path ■ Restart service to update value Encrypted ✓ Access control ✓ Life-cycle ?
  • 22. 22 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Use production mode ■ Encryption & security primitives
  • 23. 23 Nomad @LizRice | @AquaSecTeam ■ Secrets passed as files ■ Nomad takes care of interactions with Vault ■ Tasks get tokens so they can retrieve values ■ Poll for changed values ■ Access control ■ Audit logging Encrypted ✓ Access control ✓ Life-cycle ✓
  • 24. 24 Aqua secrets & external store @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secret storage in 3rd party backend ■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...
  • 25. 25 Aqua secrets & external store @LizRice | @AquaSecTeam ■ File system & env var support ■ Update secrets without container restart ■ No env var leak through inspect or /proc ■ Auditing of secret usage ■ User & container access control Encrypted ✓ Access control ✓ Life-cycle ✓
  • 27. 27 Secrets @LizRice | @AquaSecTeam Secrets photo: Iain Merchant ■ Access secrets at runtime ■ Not built in ■ Rotate secrets ■ Your best option depends on ■ Orchestrator ■ Acceptable level of risk
  • 28. Join the conversation #DevSecCon The Ultimate Guide to Secrets Management in Containers tiny.cc/secrets @LizRice | @AquaSecTeam
  • 29. 29 Kubernetes secrets access @LizRice | @AquaSecTeam ■ RBAC can be turned on --authorization-mode=RBAC # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io