Brussels / 2 & 3 February 2019


Base64 is not encryption

A better story for Kubernetes Secrets

Secrets are a key pillar of Kubernetes' security model, used internally (e.g. service accounts) and by users (e.g. API keys), but did you know they are stored in plaintext? That's right, by default all Kubernetes secrets are base64 encoded and stored as plaintext in etcd. Anyone with access to the etcd cluster has access to all your Kubernetes secrets.

Thankfully there are better ways. This lecture provides an overview of different techniques for more securely managing secrets in Kubernetes including secrets encryption, KMS plugins, and tools like HashiCorp Vault. Attendees will learn the tradeoffs of each approach to make better decisions on how to secure their Kubernetes clusters.

This lecture and discussion outlines the current state of Kubernetes' security with respect to managing and securing Kubernetes Secrets.

First, attendees will learn the current state of the world: a default Kubernetes cluster has secrets pretty widely exposed. We will talk briefly about how some cloud providers add additional layers of security, but the default is insecure.

Next, attendees will learn about features released in Kubernetes 1.7 to allow for application-layer encryption of secrets. We will discuss the pros and cons of this approach, and walk through same code/live demo of it working in action.

Next, attendees will learn about features released in Kubernetes 1.10 to allow for delegated application-layer encryption of secrets to a KMS provider. We will again discuss the pros and cons of this approach, show some code and live demos.

Finally, attendees will see an example of a full secrets management on Kubernetes, using the open source HashiCorp Vault tool.

Importantly, this talk is not a general security talk - it is specific to Kubernetes secrets. Specifically, there are no plans to discuss cluster-level security, firewall security, ACLs, or RBAC.


Photo of Seth Vargo Seth Vargo