Abstract image of a woman sitting on books and studying on a laptop

Troubles in Kubernetes Land: Vault to the Rescue

DevOps.com, profile picture
DevOps.com

The document discusses challenges in managing Kubernetes clusters and how Vault can assist in addressing security and automation issues. It emphasizes the importance of managing secrets and credentials, particularly in multi-cluster and multi-cloud environments. The webinar outlines various solutions, including using Vault to simplify access control and enhance operational efficiency.

Technology
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Troubles in Kubernetes Land: Vault to the Rescue Webinar devops.com November 2019
© 2019 InfluxData. All rights reserved.2 @gitirabassi Giacomo Tirabassi InfluxData SRE 󾓩 Italian ☸ Kubernetes in production since v1.8 🍝 love to cook and eat 󾓦 lived 1 year in Memphis 󾓭 lived 1 year in Shanghai
© 2019 InfluxData. All rights reserved.3
© 2019 InfluxData. All rights reserved.4 What’s the problem?
© 2019 InfluxData. All rights reserved.5
© 2019 InfluxData. All rights reserved.6 Solution: use a managed kubernetes solution
© 2019 InfluxData. All rights reserved.7
© 2019 InfluxData. All rights reserved.8 A little bit of context • Multiple clusters • Multiple regions • Multiple cloud (also on-prem) • Minimal operational effort • Maximum automation
© 2019 InfluxData. All rights reserved.9
© 2019 InfluxData. All rights reserved.10 Kubernetes is just an application a critical one
© 2019 InfluxData. All rights reserved.11 Automation: a little digression Stateless applications (easy) Stateful applications (hard) Critical applications (he/she needs some milk)
© 2019 InfluxData. All rights reserved.12 Automation: why so hard? • Credentials go from long lived to short lived • How to observe? • How to test? • How to rollback? or rollforward? • What can go wrong? and how to deal with it? IMMUTABLE INFRASTRUCTURE
© 2019 InfluxData. All rights reserved.13 When deploying Kubernetes yourself • Manage Etcd • Manage PKI • Manage Nodes • Upgrade Controlplane + Nodes • Update configurations • DR / BC
© 2019 InfluxData. All rights reserved.14 What can go wrong? • 2 out of 5 of the HIGH risk are TLS related • certificate expiration is an issue • ETCD data dump is underestimate • certificates and keys can be accessed on the master node if PSP are not turned on
© 2019 InfluxData. All rights reserved.15 How can vault help?
© 2019 InfluxData. All rights reserved.16 Two parties needs access to Vault • Human LDAP OIDC • Nodes aws gcp azure alicloud
© 2019 InfluxData. All rights reserved.17 Humans need to SSH into nodes • SSH Secret Engine: using Signed Keys can be as simple as • vault login -method=oidc • vault ssh -mode=ca ubuntu@192.168.0.10
© 2019 InfluxData. All rights reserved.18 Humans need access to K8S • Identity secret engine is OIDC compatible • added in v1.2.0 • very customizable id_token content • automatic key rotation
© 2019 InfluxData. All rights reserved.19 3 types of nodes and policies • Etcd nodes • Control plane nodes • Worker nodes
© 2019 InfluxData. All rights reserved.20 Etcd nodes • Need access to ETCD server and peer certificates • PKI Secret Engine is made for this
© 2019 InfluxData. All rights reserved.21 Control Plane nodes • Need access to ETCD client certificates • Need access to APIs CA • Need access to front-proxy CA • Service Account private/public keys (sign/verify JWT tokens) • Needs access to Vault Transit backend to encrypt data in etcd
© 2019 InfluxData. All rights reserved.22 Worker nodes • Need access to Kubeadm Join Token Custom secret engine plugin When a node needs access creates a short-lived token on kubernetes Token validity can be configured, but 1 minute is default • Needs access to kubelet server certificates by default kubelet uses self-signed ones
© 2019 InfluxData. All rights reserved.23 Static secrets • Migrations are hard • For long lived secrets (eg. TLS certificates, api keys, etc) • A compromise is needed: SOPS
© 2019 InfluxData. All rights reserved.24 • Build nodes images with packer (region and cloud agnostic) • Deploy VMs with Terraform module’s input are equal for all cloud providers • Configure auth, service discovery, node role and cloud using custom binary in userdata Our Solution
© 2019 InfluxData. All rights reserved.25 • 1 kubernetes cluster: 1 PKI secret engines 1 transit engine 1 KV engine 1 kubeadm-token plugin Our Solution: Vault’s side
© 2019 InfluxData. All rights reserved.26 • Certificates are expected to be on disk • No automatic reload of new certificates • Service Account token signing without external provider • Built-in certificate signing still require private/public key on disk • How to authenticate on-prem nodes? appRole? Kubernetes is not perfect yet
© 2019 InfluxData. All rights reserved.27 [[inputs.x509_cert]] sources = [ "/etc/kubernetes/pki/ca.crt", "/etc/kubernetes/pki/front-proxy-ca.crt", "/etc/kubernetes/pki/front-proxy-client.crt", "/etc/kubernetes/pki/etcd/ca.crt", "/etc/kubernetes/pki/etcd/peer.crt", "/etc/kubernetes/pki/etcd/healthcheck-client.crt", "/etc/kubernetes/pki/etcd/server.crt", "/etc/kubernetes/pki/apiserver.crt", "/etc/kubernetes/pki/apiserver-kubelet-client.crt", "/etc/kubernetes/pki/apiserver-etcd-client.crt", ] Monitoring Certifcates with Telegraf
© 2019 InfluxData. All rights reserved.28 DEMO
© 2019 InfluxData. All rights reserved.29 RECAP • Let’s go and automate everything: don’t be scared! • Vault can be integrated in critical application deployments • Having a single source for auditing all your infrastructural credentials is amazing
We’re hiring!! @gitirabassi

More Related Content

PPTX
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
Katherine Bagood
 
PDF
How to Gain Real-Time Visibility into Your IaaS with vBridge, InfluxDB, Grafana
InfluxData
 
PDF
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
PDF
How to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT System
InfluxData
 
PDF
Kubernetes and the NGINX Plus Ingress Controller
Katherine Bagood
 
PDF
HiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTT
Dominik Obermaier
 
PDF
VietOpenStack meetup 7th Kilo overview
Vietnam Open Infrastructure User Group
 
PDF
FIWARE Global Summit - Building Your Own IoT Agent
FIWARE
 
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
Katherine Bagood
 
How to Gain Real-Time Visibility into Your IaaS with vBridge, InfluxDB, Grafana
InfluxData
 
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
How to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT System
InfluxData
 
Kubernetes and the NGINX Plus Ingress Controller
Katherine Bagood
 
HiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTT
Dominik Obermaier
 
VietOpenStack meetup 7th Kilo overview
Vietnam Open Infrastructure User Group
 
FIWARE Global Summit - Building Your Own IoT Agent
FIWARE
 

What's hot (20)

PDF
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Nico Meisenzahl
 
PDF
API Gateway Use Cases​ for Kubernetes​
NGINX, Inc.
 
PDF
FIWARE Global Summit - Connecting to IoT
FIWARE
 
PDF
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Nico Meisenzahl
 
PDF
Centralizing Kubernetes Management in Restrictive Environments
Kublr
 
PDF
Microservice API Gateways with NGINX
Geoffrey Filippi
 
PPTX
Production-Grade Kubernetes With NGINX Ingress Controller
NGINX, Inc.
 
PDF
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
PDF
Build your First IoT Application with IBM Watson IoT
Janakiram MSV
 
PDF
Building Scalable & Reliable MQTT Clients for Enterprise Computing
SilvioGiebl
 
PDF
Hyperledger Cello Feb 20, 2018
Arnaud Le Hors
 
PDF
Microservice et identité
Leonard Moustacchis
 
PDF
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
Nico Meisenzahl
 
PDF
DevOpsCon London: How containerized Pipelines can boost your CI/CD
Nico Meisenzahl
 
PDF
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
Nico Meisenzahl
 
PDF
Hyperledger Fabric EVM Integration Feb 20, 2018
Arnaud Le Hors
 
PDF
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
Nico Meisenzahl
 
PDF
A pure Java MQTT Stack for IoT
Dominik Obermaier
 
PPTX
An Open-Source Platform to Connect, Manage, and Secure Microservices
DoiT International
 
PDF
Azure Rosenheim Meetup: Azure Service Operator
Nico Meisenzahl
 
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Nico Meisenzahl
 
API Gateway Use Cases​ for Kubernetes​
NGINX, Inc.
 
FIWARE Global Summit - Connecting to IoT
FIWARE
 
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Nico Meisenzahl
 
Centralizing Kubernetes Management in Restrictive Environments
Kublr
 
Microservice API Gateways with NGINX
Geoffrey Filippi
 
Production-Grade Kubernetes With NGINX Ingress Controller
NGINX, Inc.
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
Build your First IoT Application with IBM Watson IoT
Janakiram MSV
 
Building Scalable & Reliable MQTT Clients for Enterprise Computing
SilvioGiebl
 
Hyperledger Cello Feb 20, 2018
Arnaud Le Hors
 
Microservice et identité
Leonard Moustacchis
 
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
Nico Meisenzahl
 
DevOpsCon London: How containerized Pipelines can boost your CI/CD
Nico Meisenzahl
 
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
Nico Meisenzahl
 
Hyperledger Fabric EVM Integration Feb 20, 2018
Arnaud Le Hors
 
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
Nico Meisenzahl
 
A pure Java MQTT Stack for IoT
Dominik Obermaier
 
An Open-Source Platform to Connect, Manage, and Secure Microservices
DoiT International
 
Azure Rosenheim Meetup: Azure Service Operator
Nico Meisenzahl
 
Ad

Similar to Troubles in Kubernetes Land: Vault to the Rescue (20)

PDF
Manage your bare-metal infrastructure with a CI/CD-driven approach
inovex GmbH
 
PDF
Securing k8s With Kubernetes Goat
Muhammad Yuga Nugraha
 
PPTX
"Turning Kubernetes into a full-fledged private cloud", Volodymyr Tsap
Fwdays
 
PDF
Managing Kubernetes operating Kubernetes clusters in the real world First Edi...
jayedmonotbp
 
PPTX
DevSecOps in a cloudnative world
Karthik Gaekwad
 
PPTX
10 tips for Cloud Native Security
Karthik Gaekwad
 
PDF
JDO 2019: What you should be aware of before setting up kubernetes on premise...
PROIDEA
 
PDF
Download full Managing Kubernetes operating Kubernetes clusters in the real w...
duduhasikul
 
PPTX
Kubernetes Security
Karthik Gaekwad
 
PDF
Successful K8S Platforms in Airgapped Environments
KubernetesCommunityD
 
PDF
Kubernetes the Very Hard Way. Lisa Portland 2019
Laurent Bernaille
 
PDF
Security pitfalls in script-able infrastructure pipelines.
DefCamp
 
PDF
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
PDF
Kubernetes the Very Hard Way. Velocity Berlin 2019
Laurent Bernaille
 
PPTX
Kubernetes security with AWS
Kasun Madura Rathnayaka
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
PDF
ultimate guide to kubernetes deployment.pdf
Anshulkichara3
 
PPTX
Learn How to Use a Time Series Platform to Monitor All Aspects of Your Kubern...
DevOps.com
 
PDF
Openstack In Action 1st Edition V K Cody Bumgardner
pompefodge3d
 
PDF
Managing Cloud Native Data On Kubernetes 1st Early Release Jeff Carpenter Pat...
lintokhakon
 
Manage your bare-metal infrastructure with a CI/CD-driven approach
inovex GmbH
 
Securing k8s With Kubernetes Goat
Muhammad Yuga Nugraha
 
"Turning Kubernetes into a full-fledged private cloud", Volodymyr Tsap
Fwdays
 
Managing Kubernetes operating Kubernetes clusters in the real world First Edi...
jayedmonotbp
 
DevSecOps in a cloudnative world
Karthik Gaekwad
 
10 tips for Cloud Native Security
Karthik Gaekwad
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
PROIDEA
 
Download full Managing Kubernetes operating Kubernetes clusters in the real w...
duduhasikul
 
Kubernetes Security
Karthik Gaekwad
 
Successful K8S Platforms in Airgapped Environments
KubernetesCommunityD
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Laurent Bernaille
 
Security pitfalls in script-able infrastructure pipelines.
DefCamp
 
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Laurent Bernaille
 
Kubernetes security with AWS
Kasun Madura Rathnayaka
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
ultimate guide to kubernetes deployment.pdf
Anshulkichara3
 
Learn How to Use a Time Series Platform to Monitor All Aspects of Your Kubern...
DevOps.com
 
Openstack In Action 1st Edition V K Cody Bumgardner
pompefodge3d
 
Managing Cloud Native Data On Kubernetes 1st Early Release Jeff Carpenter Pat...
lintokhakon
 
Ad

More from DevOps.com (20)

PDF
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
PPTX
Vulnerability Discovery in the Cloud
DevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
PDF
A New Year’s Ransomware Resolution
DevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
PDF
Don't Panic! Effective Incident Response
DevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
PDF
Monitoring Serverless Applications with Datadog
DevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
PPTX
Securing medical apps in the age of covid final
DevOps.com
 
PDF
How to Build a Healthy On-Call Culture
DevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
DevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
DevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

Recently uploaded (20)

PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Unlock new opportunities with location data.pdf
Precisely
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
August Patch Tuesday
Ivanti
 

Troubles in Kubernetes Land: Vault to the Rescue

  • 1. Troubles in Kubernetes Land: Vault to the Rescue Webinar devops.com November 2019
  • 2. © 2019 InfluxData. All rights reserved.2 @gitirabassi Giacomo Tirabassi InfluxData SRE 󾓩 Italian ☸ Kubernetes in production since v1.8 🍝 love to cook and eat 󾓦 lived 1 year in Memphis 󾓭 lived 1 year in Shanghai
  • 3. © 2019 InfluxData. All rights reserved.3
  • 4. © 2019 InfluxData. All rights reserved.4 What’s the problem?
  • 5. © 2019 InfluxData. All rights reserved.5
  • 6. © 2019 InfluxData. All rights reserved.6 Solution: use a managed kubernetes solution
  • 7. © 2019 InfluxData. All rights reserved.7
  • 8. © 2019 InfluxData. All rights reserved.8 A little bit of context • Multiple clusters • Multiple regions • Multiple cloud (also on-prem) • Minimal operational effort • Maximum automation
  • 9. © 2019 InfluxData. All rights reserved.9
  • 10. © 2019 InfluxData. All rights reserved.10 Kubernetes is just an application a critical one
  • 11. © 2019 InfluxData. All rights reserved.11 Automation: a little digression Stateless applications (easy) Stateful applications (hard) Critical applications (he/she needs some milk)
  • 12. © 2019 InfluxData. All rights reserved.12 Automation: why so hard? • Credentials go from long lived to short lived • How to observe? • How to test? • How to rollback? or rollforward? • What can go wrong? and how to deal with it? IMMUTABLE INFRASTRUCTURE
  • 13. © 2019 InfluxData. All rights reserved.13 When deploying Kubernetes yourself • Manage Etcd • Manage PKI • Manage Nodes • Upgrade Controlplane + Nodes • Update configurations • DR / BC
  • 14. © 2019 InfluxData. All rights reserved.14 What can go wrong? • 2 out of 5 of the HIGH risk are TLS related • certificate expiration is an issue • ETCD data dump is underestimate • certificates and keys can be accessed on the master node if PSP are not turned on
  • 15. © 2019 InfluxData. All rights reserved.15 How can vault help?
  • 16. © 2019 InfluxData. All rights reserved.16 Two parties needs access to Vault • Human LDAP OIDC • Nodes aws gcp azure alicloud
  • 17. © 2019 InfluxData. All rights reserved.17 Humans need to SSH into nodes • SSH Secret Engine: using Signed Keys can be as simple as • vault login -method=oidc • vault ssh -mode=ca ubuntu@192.168.0.10
  • 18. © 2019 InfluxData. All rights reserved.18 Humans need access to K8S • Identity secret engine is OIDC compatible • added in v1.2.0 • very customizable id_token content • automatic key rotation
  • 19. © 2019 InfluxData. All rights reserved.19 3 types of nodes and policies • Etcd nodes • Control plane nodes • Worker nodes
  • 20. © 2019 InfluxData. All rights reserved.20 Etcd nodes • Need access to ETCD server and peer certificates • PKI Secret Engine is made for this
  • 21. © 2019 InfluxData. All rights reserved.21 Control Plane nodes • Need access to ETCD client certificates • Need access to APIs CA • Need access to front-proxy CA • Service Account private/public keys (sign/verify JWT tokens) • Needs access to Vault Transit backend to encrypt data in etcd
  • 22. © 2019 InfluxData. All rights reserved.22 Worker nodes • Need access to Kubeadm Join Token Custom secret engine plugin When a node needs access creates a short-lived token on kubernetes Token validity can be configured, but 1 minute is default • Needs access to kubelet server certificates by default kubelet uses self-signed ones
  • 23. © 2019 InfluxData. All rights reserved.23 Static secrets • Migrations are hard • For long lived secrets (eg. TLS certificates, api keys, etc) • A compromise is needed: SOPS
  • 24. © 2019 InfluxData. All rights reserved.24 • Build nodes images with packer (region and cloud agnostic) • Deploy VMs with Terraform module’s input are equal for all cloud providers • Configure auth, service discovery, node role and cloud using custom binary in userdata Our Solution
  • 25. © 2019 InfluxData. All rights reserved.25 • 1 kubernetes cluster: 1 PKI secret engines 1 transit engine 1 KV engine 1 kubeadm-token plugin Our Solution: Vault’s side
  • 26. © 2019 InfluxData. All rights reserved.26 • Certificates are expected to be on disk • No automatic reload of new certificates • Service Account token signing without external provider • Built-in certificate signing still require private/public key on disk • How to authenticate on-prem nodes? appRole? Kubernetes is not perfect yet
  • 27. © 2019 InfluxData. All rights reserved.27 [[inputs.x509_cert]] sources = [ "/etc/kubernetes/pki/ca.crt", "/etc/kubernetes/pki/front-proxy-ca.crt", "/etc/kubernetes/pki/front-proxy-client.crt", "/etc/kubernetes/pki/etcd/ca.crt", "/etc/kubernetes/pki/etcd/peer.crt", "/etc/kubernetes/pki/etcd/healthcheck-client.crt", "/etc/kubernetes/pki/etcd/server.crt", "/etc/kubernetes/pki/apiserver.crt", "/etc/kubernetes/pki/apiserver-kubelet-client.crt", "/etc/kubernetes/pki/apiserver-etcd-client.crt", ] Monitoring Certifcates with Telegraf
  • 28. © 2019 InfluxData. All rights reserved.28 DEMO
  • 29. © 2019 InfluxData. All rights reserved.29 RECAP • Let’s go and automate everything: don’t be scared! • Vault can be integrated in critical application deployments • Having a single source for auditing all your infrastructural credentials is amazing