Table of Contents
Kubernetes Secrets Management Table of Contents
Return to Kubernetes Secrets Management by Alex Soto Bueno and Andrew Block, Kubernetes Secrets Management
Fair Use Source: B0BPTHW6P4 (K8SScrtMg 2023)
xi
xiii
about this book
xv
about the authors
xviii
about the cover illustration
xix
PART 1
SECRETS AND KUBERNETES ………………………… 1
1 Kubernetes Secrets 3
1.1
4
1.2
Taking full advantage of the Kubernetes ecosystem
5
1.3
Not everything is a Secret
5
1.4
Bringing secrets management and Kubernetes
together
6
1.5
9
2 An introduction to Kubernetes and Secrets 10
2.1
11
13
2.2
Deploying workloads in Kubernetes
13
13 ■ Deployment objects
15
19
vii
viii
CONTENTS
2.3
Managing application configuration
19
19
2.4
Using Kubernetes Secrets to store sensitive information
25
28 ■ Secrets can be encrypted at rest
28
Risks
29
PART 2
MANAGING SECRETS ……………………………….. 33
3.1
Storing Kubernetes manifests at rest
36
Capturing resources for declarative configuration
37
3.2
Tools for securely storing Kubernetes resources
40
40
3.3
45
Custom resource definitions (CRDs)
46
47
3.4
Managing Secrets within Kubernetes package managers
51
Deploying the Greeting Demo Helm chart
54
3.5
58
Ansible Vault secret key rotation
58 ■ Sealed Secrets key
59 ■ SOPS secret key rotation
60
4 Encrypting data at rest 61
4.1
Encrypting secrets in Kubernetes
62
Data at rest vs. data in motion
62
67
4.2
69
77
5 HashiCorp Vault and Kubernetes 79
5.1
Managing application secrets using HashiCorp
80
81 ■ Deploying an application
91
CONTENTS
ix
5.2
94
95 ■ Testing and validating
97
5.3
98
Configurations to support Kubernetes Vault Agent injection
100
6 Accessing cloud secrets stores 103
6.1
The Container Storage Interface and Secrets Store CSI
104
104 ■ Container Storage Interface
and Kubernetes
107 ■ Installing
prerequisites
108 ■ Installing the Secrets Store CSI Driver
109
Consuming HashiCorp Vault secrets via the Secrets Store CSI Driver
and the HashiCorp Vault provider
111
6.2
Synchronizing CSI secrets as Kubernetes Secrets
116
117 ■ Defining a SecretProviderClass
117
6.3
Autorotating secrets to improve security posture
121
122 ■ Deploying the Pod with a secret
126
6.4
Consuming secrets from cloud secrets stores
126
127 ■ GCP Secret Manager
135
143
PART 3
CONTINUOUS INTEGRATION AND
CONTINUOUS DELIVERY …………………………. 149
7 Kubernetes-native continuous integration and Secrets 151
7.1
Introduction to continuous integration
152
7.2
153
Installing prerequisites
154 ■ Installing Tekton
156
157
7.3
Continuous integration for a welcome message
163
166 ■ Building and Pushing the container image
168
170
8 Kubernetes-native continuous delivery and Secrets 174
8.1
Introduction to continuous delivery and continuous deployment
175
x
CONTENTS
8.2
Continuous delivery for the welcome message
176
Deploying the Name Generator service
176 ■ DevOps and
178
8.3
179
180 ■ Welcome service and GitOps
182
Creating a Welcome Message service from a Git repository
186
190
appendix A
201
appendix B
Installing and configuring yq
207
appendix C
Installing and configuring pip
210
appendix D
Installing and configuring Git
213
appendix E
216
219
brief contents
about this book Who should read this book?
How this book is organized: A roadmap
About the code
about the authors
about the cover illustration
Part 1 Secrets and Kubernetes 1 Kubernetes Secrets 1.1 A focus on security
1.2 Taking full advantage of the Kubernetes ecosystem
1.3 Not everything is a Secret
1.4 Bringing secrets management and Kubernetes together
Summary
2 An introduction to Kubernetes and Secrets 2.1 Kubernetes architecture 2.1.1 What is a master Node?
2.2 Deploying workloads in Kubernetes 2.2.1 Deploying a workload
2.2.2 Deployment objects
2.2.3 Volume
2.3 Managing application configuration 2.3.1 ConfigMaps
2.4 Using Kubernetes Secrets to store sensitive information 2.4.1 Secrets are encoded in Base64
2.4.2 Secrets are mounted in a temporary file system
2.4.3 Secrets can be encrypted at rest
2.4.4 Risks
Summary
Part 2 Managing Secrets 3 Securely storing Secrets 3.1 Storing Kubernetes manifests at rest 3.1.1 Capturing resources for declarative configuration
3.2 Tools for securely storing Kubernetes resources 3.2.1 Ansible Vault
3.3 Kubernetes Operators 3.3.1 Custom resource definitions (CRDs)
3.3.2 Sealed Secrets
3.4 Managing Secrets within Kubernetes package managers 3.4.1 Deploying the Greeting Demo Helm chart
3.5 Rotating secrets 3.5.1 Ansible Vault secret key rotation
3.5.2 Sealed Secrets key rotation
3.5.3 SOPS secret key rotation
Summary
4 Encrypting data at rest 4.1 Encrypting secrets in Kubernetes 4.1.1 Data at rest vs. data in motion
4.1.3 Encrypting secrets
4.2 Key management server 4.2.1 Kubernetes and KMS provider
Summary
5 HashiCorp Vault and Kubernetes 5.1 Managing application secrets using HashiCorp Vault 5.1.1 Deploying Vault to Kubernetes
5.1.2 Deploying an application to access Vault
5.2 Kubernetes auth method 5.2.1 Configuring Kubernetes auth
5.2.2 Testing and validating Kubernetes auth
5.3 The Vault Agent Injector 5.3.1 Configurations to support Kubernetes Vault Agent injection
Summary
6 Accessing cloud secrets stores 6.1 The Container Storage Interface and Secrets Store CSI Driver 6.1.1 Container Storage Interface
6.1.2 Container Storage Interface and Kubernetes
6.1.4 Installing prerequisites
6.1.5 Installing the Secrets Store CSI Driver
6.1.6 Consuming HashiCorp Vault secrets via the Secrets Store CSI Driver and the HashiCorp Vault provider
6.2 Synchronizing CSI secrets as Kubernetes Secrets 6.2.1 Preparing the namespace
6.2.2 Defining a SecretProviderClass resource with secretObjects
6.3 Autorotating secrets to improve security posture 6.3.1 Preparing the namespace
6.3.2 Deploying the Pod with a secret mounted
6.4 Consuming secrets from cloud secrets stores 6.4.1 Azure Key Vault
6.4.2 GCP Secret Manager
6.4.3 AWS Secrets Manager
Summary
Part 3 Continuous integration and continuous delivery 7 Kubernetes-native continuous integration and Secrets 7.1 Introduction to continuous integration
7.2 Tekton 7.2.1 Installing prerequisites
7.2.2 Installing Tekton
7.3 Continuous integration for a welcome message 7.3.1 Compiling and Running tests
7.3.2 Building and Pushing the container image
7.3.4 Pipeline
Summary
8 Kubernetes-native continuous delivery and Secrets 8.1 Introduction to continuous delivery and deployment
8.2 Continuous delivery for the welcome message 8.2.1 Deploying the Name Generator service
8.3 Argo CD 8.3.1 Installation of ArgoCD
8.3.2 Welcome service and GitOps
8.3.3 Creating a Welcome Message service from a Git repository
8.3.4 Updating the Welcome service
Summary
appendix A Tooling A.1 Minikube
A.2 Kubectl
appendix B Installing and configuring yq B.1 Installing yq
B.2 yq by example
appendix C Installing and configuring pip C.1 Installing pip
appendix D Installing and configuring Git D.1 Installing Git
D.2 Configuring Git
appendix E Installing GPG E.1 Obtaining the GPG tools
E.2 Generating a public–private key pair
Fair Use Sources
Kubernetes: Kubernetes Fundamentals, K8S Inventor: Google
Kubernetes Pods, Kubernetes Services, Kubernetes Deployments, Kubernetes ReplicaSets, Kubernetes StatefulSets, Kubernetes DaemonSets, Kubernetes Namespaces, Kubernetes Ingress, Kubernetes ConfigMaps, Kubernetes Secrets, Kubernetes Volumes, Kubernetes PersistentVolumes, Kubernetes PersistentVolumeClaims, Kubernetes Jobs, Kubernetes CronJobs, Kubernetes RBAC, Kubernetes Network Policies, Kubernetes Service Accounts, Kubernetes Horizontal Pod Autoscaler, Kubernetes Cluster Autoscaler, Kubernetes Custom Resource Definitions, Kubernetes API Server, Kubernetes etcd, Kubernetes Controller Manager, Kubernetes Scheduler, Kubernetes Kubelet, Kubernetes Kube-Proxy, Kubernetes Helm, Kubernetes Operators, Kubernetes Taints and Tolerations
Kubernetes, Pods, Services, Deployments, Containers, Cluster Architecture, YAML, CLI Tools, Namespaces, Labels, Selectors, ConfigMaps, Secrets, Storage, Persistent Volumes, Persistent Volume Claims, StatefulSets, DaemonSets, Jobs, CronJobs, ReplicaSets, Horizontal Pod Autoscaler, Networking, Ingress, Network Policies, Service Discovery, Load Balancing, Security, Role-Based Access Control (RBAC), Authentication, Authorization, Certificates, API Server, Controller Manager, Scheduler, Kubelet, Kube-Proxy, CoreDNS, ETCD, Cloud Providers, minikube, kubectl, Helm, CI/CD, Docker, Container Registry, Logging, Monitoring, Metrics, Prometheus, Grafana, Alerting, Debugging, Troubleshooting, Scaling, Auto-Scaling, Manual Scaling, Rolling Updates, Canary Deployments, Blue-Green Deployments, Service Mesh, Istio, Linkerd, Envoy, Observability, Tracing, Jaeger, OpenTracing, Fluentd, Elasticsearch, Kibana, Cloud-Native Technologies, Infrastructure as Code (IaC), Terraform, Configuration Management, Packer, GitOps, Argo CD, Skaffold, Knative, Serverless, FaaS, AWS, Azure, Google Cloud Platform (GCP), Amazon EKS, Azure AKS, Google Kubernetes Engine (GKE), Hybrid Cloud, Multi-Cloud, Security Best Practices, Networking Best Practices, Storage Best Practices, High Availability, Disaster Recovery, Performance Tuning, Resource Quotas, Limit Ranges, Cluster Maintenance, Cluster Upgrades, Backup and Restore, Federation, Multi-Tenancy.
OpenShift, K8S Glossary, K8S Topics, K8S API, kubectl, K8S Package Managers (Helm), K8S Networking, K8S Storage, K8S Secrets and Kubernetes Secrets Management (HashiCorp Vault with Kubernetes), K8S Security (Pentesting Kubernetes, Hacking Kubernetes), K8S Docs, K8S GitHub, Managed Kubernetes Services - Kubernetes as a Service (KaaS): AKS vs EKS vs GKE, K8S on AWS (EKS), K8S on GCP (GKE), K8S on Azure (AKS), K8S on IBM (IKS), K8S on IBM Cloud, K8S on Mainframe, K8S on Oracle (OKE), K8s on DigitalOcean (DOKS), K8SOps, Kubernetes Client for Python, Databases on Kubernetes (SQL Server on Kubernetes, MySQL on Kubernetes), Kubernetes for Developers (Kubernetes Development, Certified Kubernetes Application Developer (CKAD)), MiniKube, K8S Books, K8S Courses, Podman, Docker, CNCF (navbar_K8S - see also navbar_openshift, navbar_docker, navbar_podman, navbar_helm, navbar_anthos, navbar_gitops, navbar_iac, navbar_cncf)
Cybersecurity: DevSecOps - Security Automation, Cloud Security - Cloud Native Security (AWS Security - Azure Security - GCP Security - IBM Cloud Security - Oracle Cloud Security, Container Security, Docker Security, Podman Security, Kubernetes Security, Google Anthos Security, Red Hat OpenShift Security); CIA Triad (Confidentiality - Integrity - Availability, Authorization - OAuth, Identity and Access Management (IAM), JVM Security (Java Security, Spring Security, Micronaut Security, Quarkus Security, Helidon Security, MicroProfile Security, Dropwizard Security, Vert.x Security, Play Framework Security, Akka Security, Ratpack Security, Netty Security, Spark Framework Security, Kotlin Security - Ktor Security, Scala Security, Clojure Security, Groovy Security;
, JavaScript Security, HTML Security, HTTP Security - HTTPS Security - SSL Security - TLS Security, CSS Security - Bootstrap Security - Tailwind Security, Web Storage API Security (localStorage Security, sessionStorage Security), Cookie Security, IndexedDB Security, TypeScript Security, Node.js Security, NPM Security, Deno Security, Express.js Security, React Security, Angular Security, Vue.js Security, Next.js Security, Remix.js Security, PWA Security, SPA Security, Svelts.js Security, Ionic Security, Web Components Security, Nuxt.js Security, Z Security, htmx Security
Python Security - Django Security - Flask Security - Pandas Security,
Database Security (Database Security on Kubernetes, Database Security on Containers / Database Security on Docker, Cloud Database Security - DBaaS Security, Concurrent Programming and Database Security, Functional Concurrent Programming and Database Security, Async Programming and Databases Security, MySQL Security, Oracle Database Security, Microsoft SQL Server Security, MongoDB Security, PostgreSQL Security, SQLite Security, Amazon RDS Security, IBM Db2 Security, MariaDB Security, Redis Security (Valkey Security), Cassandra Security, Amazon Aurora Security, Microsoft Azure SQL Database Security, Neo4j Security, Google Cloud SQL Security, Firebase Realtime Database Security, Apache HBase Security, Amazon DynamoDB Security, Couchbase Server Security, Elasticsearch Security, Teradata Database Security, Memcached Security, Infinispan Security, Amazon Redshift Security, SQLite Security, CouchDB Security, Apache Kafka Security, IBM Informix Security, SAP HANA Security, RethinkDB Security, InfluxDB Security, MarkLogic Security, ArangoDB Security, RavenDB Security, VoltDB Security, Apache Derby Security, Cosmos DB Security, Hive Security, Apache Flink Security, Google Bigtable Security, Hadoop Security, HP Vertica Security, Alibaba Cloud Table Store Security, InterSystems Caché Security, Greenplum Security, Apache Ignite Security, FoundationDB Security, Amazon Neptune Security, FaunaDB Security, QuestDB Security, Presto Security, TiDB Security, NuoDB Security, ScyllaDB Security, Percona Server for MySQL Security, Apache Phoenix Security, EventStoreDB Security, SingleStore Security, Aerospike Security, MonetDB Security, Google Cloud Spanner Security, SQream Security, GridDB Security, MaxDB Security, RocksDB Security, TiKV Security, Oracle NoSQL Database Security, Google Firestore Security, Druid Security, SAP IQ Security, Yellowbrick Data Security, InterSystems IRIS Security, InterBase Security, Kudu Security, eXtremeDB Security, OmniSci Security, Altibase Security, Google Cloud Bigtable Security, Amazon QLDB Security, Hypertable Security, ApsaraDB for Redis Security, Pivotal Greenplum Security, MapR Database Security, Informatica Security, Microsoft Access Security, Tarantool Security, Blazegraph Security, NeoDatis Security, FileMaker Security, ArangoDB Security, RavenDB Security, AllegroGraph Security, Alibaba Cloud ApsaraDB for PolarDB Security, DuckDB Security, Starcounter Security, EventStore Security, ObjectDB Security, Alibaba Cloud AnalyticDB for PostgreSQL Security, Akumuli Security, Google Cloud Datastore Security, Skytable Security, NCache Security, FaunaDB Security, OpenEdge Security, Amazon DocumentDB Security, HyperGraphDB Security, Citus Data Security, Objectivity/DB). Database drivers (JDBC Security, ODBC), ORM (Hibernate Security, Microsoft Entity Framework), SQL Operators and Functions Security, Database IDEs (JetBrains DataSpell Security, SQL Server Management Studio Security, MySQL Workbench Security, Oracle SQL Developer Security, SQLiteStudio),
Programming Language Security ((1. Python Security, 2. JavaScript Security, 3. Java Security, 4. C# Security, 5. C++ Security, 6. PHP Security, 7. TypeScript Security, 8. Ruby Security, 9. C Security, 10. Swift Security, 11. R Security, 12. Objective-C Security, 13. Scala Security, 14. Golang Security, 15. Kotlin Security, 16. Rust Security, 17. Dart Security, 18. Lua Security, 19. Perl Security, 20. Haskell Security, 21. Julia Security, 22. Clojure Security, 23. Elixir Security, 24. F# Security, 25. Assembly Language Security, 26. Shell Script Security / bash Security, 27. SQL Security, 28. Groovy Security, 29. PowerShell Security, 30. MATLAB Security, 31. VBA Security, 32. Racket Security, 33. Scheme Security, 34. Prolog Security, 35. Erlang Security, 36. Ada Security, 37. Fortran Security, 38. COBOL Security, 39. Lua Security, 40. VB.NET Security, 41. Lisp Security, 42. SAS Security, 43. D Security, 44. LabVIEW Security, 45. PL/SQL Security, 46. Delphi/Object Pascal Security, 47. ColdFusion Security, 49. CLIST Security, 50. REXX);
OS Security, Mobile Security: Android Security - Kotlin Security - Java Security, iOS Security - Swift Security; Windows Security - Windows Server Security, Linux Security (Ubuntu Security, Debian Security, RHEL Security, Fedora Security), UNIX Security (FreeBSD Security), IBM z Mainframe Security (RACF Security), Passwords (Windows Passwords, Linux Passwords, FreeBSD Passwords, Android Passwords, iOS Passwords, macOS Passwords, IBM z/OS Passwords), Passkeys, Hacking (Ethical Hacking, White Hat, Black Hat, Grey Hat), Pentesting (Red Team - Blue Team - Purple Team), Cybersecurity Certifications (CEH, GIAC, CISM, CompTIA Security Plus, CISSP), Mitre Framework, Common Vulnerabilities and Exposures (CVE), Cybersecurity Bibliography, Cybersecurity Courses, Firewalls, CI/CD Security (GitHub Actions Security, Azure DevOps Security, Jenkins Security, Circle CI Security), Functional Programming and Cybersecurity, Cybersecurity and Concurrency, Cybersecurity and Data Science - Cybersecurity and Databases, Cybersecurity and Machine Learning, Cybersecurity Glossary (RFC 4949 Internet Security Glossary), Awesome Cybersecurity, Cybersecurity GitHub, Cybersecurity Topics (navbar_security - see also navbar_aws_security, navbar_azure_security, navbar_gcp_security, navbar_k8s_security, navbar_docker_security, navbar_podman_security, navbar_mainframe_security, navbar_ibm_cloud_security, navbar_oracle_cloud_security, navbar_database_security, navbar_windows_security, navbar_linux_security, navbar_macos_security, navbar_android_security, navbar_ios_security, navbar_os_security, navbar_firewalls, navbar_encryption, navbar_passwords, navbar_iam, navbar_pentesting, navbar_privacy)
© 1994 - 2024 Cloud Monk Losang Jinpa or Fair Use. Disclaimers
SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.