Table of Contents
Kubernetes Secrets Management Table of Contents
Return to Kubernetes Secrets Management by Alex Soto Bueno and Andrew Block, Kubernetes Secrets Management
Fair Use Source: B0BPTHW6P4 (K8SScrtMg 2023)
xi
xiii
about this book
xv
about the authors
xviii
about the cover illustration
xix
PART 1
SECRETS AND KUBERNETES ………………………… 1
1 Kubernetes Secrets 3
1.1
4
1.2
Taking full advantage of the Kubernetes ecosystem
5
1.3
Not everything is a Secret
5
1.4
Bringing secrets management and Kubernetes
together
6
1.5
9
2 An introduction to Kubernetes and Secrets 10
2.1
11
13
2.2
Deploying workloads in Kubernetes
13
13 ■ Deployment objects
15
19
vii
viii
CONTENTS
2.3
Managing application configuration
19
19
2.4
Using Kubernetes Secrets to store sensitive information
25
28 ■ Secrets can be encrypted at rest
28
Risks
29
PART 2
MANAGING SECRETS ……………………………….. 33
3.1
Storing Kubernetes manifests at rest
36
Capturing resources for declarative configuration
37
3.2
Tools for securely storing Kubernetes resources
40
40
3.3
45
Custom resource definitions (CRDs)
46
47
3.4
Managing Secrets within Kubernetes package managers
51
Deploying the Greeting Demo Helm chart
54
3.5
58
Ansible Vault secret key rotation
58 ■ Sealed Secrets key
59 ■ SOPS secret key rotation
60
4 Encrypting data at rest 61
4.1
Encrypting secrets in Kubernetes
62
Data at rest vs. data in motion
62
67
4.2
69
77
5 HashiCorp Vault and Kubernetes 79
5.1
Managing application secrets using HashiCorp
80
81 ■ Deploying an application
91
CONTENTS
ix
5.2
94
95 ■ Testing and validating
97
5.3
98
Configurations to support Kubernetes Vault Agent injection
100
6 Accessing cloud secrets stores 103
6.1
The Container Storage Interface and Secrets Store CSI
104
104 ■ Container Storage Interface
and Kubernetes
107 ■ Installing
prerequisites
108 ■ Installing the Secrets Store CSI Driver
109
Consuming HashiCorp Vault secrets via the Secrets Store CSI Driver
and the HashiCorp Vault provider
111
6.2
Synchronizing CSI secrets as Kubernetes Secrets
116
117 ■ Defining a SecretProviderClass
117
6.3
Autorotating secrets to improve security posture
121
122 ■ Deploying the Pod with a secret
126
6.4
Consuming secrets from cloud secrets stores
126
127 ■ GCP Secret Manager
135
143
PART 3
CONTINUOUS INTEGRATION AND
CONTINUOUS DELIVERY …………………………. 149
7 Kubernetes-native continuous integration and Secrets 151
7.1
Introduction to continuous integration
152
7.2
153
Installing prerequisites
154 ■ Installing Tekton
156
157
7.3
Continuous integration for a welcome message
163
166 ■ Building and Pushing the container image
168
170
8 Kubernetes-native continuous delivery and Secrets 174
8.1
Introduction to continuous delivery and continuous deployment
175
x
CONTENTS
8.2
Continuous delivery for the welcome message
176
Deploying the Name Generator service
176 ■ DevOps and
178
8.3
179
180 ■ Welcome service and GitOps
182
Creating a Welcome Message service from a Git repository
186
190
appendix A
201
appendix B
Installing and configuring yq
207
appendix C
Installing and configuring pip
210
appendix D
Installing and configuring Git
213
appendix E
216
219
brief contents
about this book Who should read this book?
How this book is organized: A roadmap
About the code
about the authors
about the cover illustration
Part 1 Secrets and Kubernetes 1 Kubernetes Secrets 1.1 A focus on security
1.2 Taking full advantage of the Kubernetes ecosystem
1.3 Not everything is a Secret
1.4 Bringing secrets management and Kubernetes together
Summary
2 An introduction to Kubernetes and Secrets 2.1 Kubernetes architecture 2.1.1 What is a master Node?
2.2 Deploying workloads in Kubernetes 2.2.1 Deploying a workload
2.2.2 Deployment objects
2.2.3 Volume
2.3 Managing application configuration 2.3.1 ConfigMaps
2.4 Using Kubernetes Secrets to store sensitive information 2.4.1 Secrets are encoded in Base64
2.4.2 Secrets are mounted in a temporary file system
2.4.3 Secrets can be encrypted at rest
2.4.4 Risks
Summary
Part 2 Managing Secrets 3 Securely storing Secrets 3.1 Storing Kubernetes manifests at rest 3.1.1 Capturing resources for declarative configuration
3.2 Tools for securely storing Kubernetes resources 3.2.1 Ansible Vault
3.3 Kubernetes Operators 3.3.1 Custom resource definitions (CRDs)
3.3.2 Sealed Secrets
3.4 Managing Secrets within Kubernetes package managers 3.4.1 Deploying the Greeting Demo Helm chart
3.5 Rotating secrets 3.5.1 Ansible Vault secret key rotation
3.5.2 Sealed Secrets key rotation
3.5.3 SOPS secret key rotation
Summary
4 Encrypting data at rest 4.1 Encrypting secrets in Kubernetes 4.1.1 Data at rest vs. data in motion
4.1.3 Encrypting secrets
4.2 Key management server 4.2.1 Kubernetes and KMS provider
Summary
5 HashiCorp Vault and Kubernetes 5.1 Managing application secrets using HashiCorp Vault 5.1.1 Deploying Vault to Kubernetes
5.1.2 Deploying an application to access Vault
5.2 Kubernetes auth method 5.2.1 Configuring Kubernetes auth
5.2.2 Testing and validating Kubernetes auth
5.3 The Vault Agent Injector 5.3.1 Configurations to support Kubernetes Vault Agent injection
Summary
6 Accessing cloud secrets stores 6.1 The Container Storage Interface and Secrets Store CSI Driver 6.1.1 Container Storage Interface
6.1.2 Container Storage Interface and Kubernetes
6.1.4 Installing prerequisites
6.1.5 Installing the Secrets Store CSI Driver
6.1.6 Consuming HashiCorp Vault secrets via the Secrets Store CSI Driver and the HashiCorp Vault provider
6.2 Synchronizing CSI secrets as Kubernetes Secrets 6.2.1 Preparing the namespace
6.2.2 Defining a SecretProviderClass resource with secretObjects
6.3 Autorotating secrets to improve security posture 6.3.1 Preparing the namespace
6.3.2 Deploying the Pod with a secret mounted
6.4 Consuming secrets from cloud secrets stores 6.4.1 Azure Key Vault
6.4.2 GCP Secret Manager
6.4.3 AWS Secrets Manager
Summary
Part 3 Continuous integration and continuous delivery 7 Kubernetes-native continuous integration and Secrets 7.1 Introduction to continuous integration
7.2 Tekton 7.2.1 Installing prerequisites
7.2.2 Installing Tekton
7.3 Continuous integration for a welcome message 7.3.1 Compiling and Running tests
7.3.2 Building and Pushing the container image
7.3.4 Pipeline
Summary
8 Kubernetes-native continuous delivery and Secrets 8.1 Introduction to continuous delivery and deployment
8.2 Continuous delivery for the welcome message 8.2.1 Deploying the Name Generator service
8.3 Argo CD 8.3.1 Installation of ArgoCD
8.3.2 Welcome service and GitOps
8.3.3 Creating a Welcome Message service from a Git repository
8.3.4 Updating the Welcome service
Summary
appendix A Tooling A.1 Minikube
A.2 Kubectl
appendix B Installing and configuring yq B.1 Installing yq
B.2 yq by example
appendix C Installing and configuring pip C.1 Installing pip
appendix D Installing and configuring Git D.1 Installing Git
D.2 Configuring Git
appendix E Installing GPG E.1 Obtaining the GPG tools
E.2 Generating a public–private key pair
Fair Use Sources
Kubernetes: Kubernetes Fundamentals, K8S Inventor: Google
Kubernetes Pods, Kubernetes Services, Kubernetes Deployments, Kubernetes ReplicaSets, Kubernetes StatefulSets, Kubernetes DaemonSets, Kubernetes Namespaces, Kubernetes Ingress, Kubernetes ConfigMaps, Kubernetes Secrets, Kubernetes Volumes, Kubernetes PersistentVolumes, Kubernetes PersistentVolumeClaims, Kubernetes Jobs, Kubernetes CronJobs, Kubernetes RBAC, Kubernetes Network Policies, Kubernetes Service Accounts, Kubernetes Horizontal Pod Autoscaler, Kubernetes Cluster Autoscaler, Kubernetes Custom Resource Definitions, Kubernetes API Server, Kubernetes etcd, Kubernetes Controller Manager, Kubernetes Scheduler, Kubernetes Kubelet, Kubernetes Kube-Proxy, Kubernetes Helm, Kubernetes Operators, Kubernetes Taints and Tolerations
Kubernetes, Pods, Services, Deployments, Containers, Cluster Architecture, YAML, CLI Tools, Namespaces, Labels, Selectors, ConfigMaps, Secrets, Storage, Persistent Volumes, Persistent Volume Claims, StatefulSets, DaemonSets, Jobs, CronJobs, ReplicaSets, Horizontal Pod Autoscaler, Networking, Ingress, Network Policies, Service Discovery, Load Balancing, Security, Role-Based Access Control (RBAC), Authentication, Authorization, Certificates, API Server, Controller Manager, Scheduler, Kubelet, Kube-Proxy, CoreDNS, ETCD, Cloud Providers, minikube, kubectl, Helm, CI/CD, Docker, Container Registry, Logging, Monitoring, Metrics, Prometheus, Grafana, Alerting, Debugging, Troubleshooting, Scaling, Auto-Scaling, Manual Scaling, Rolling Updates, Canary Deployments, Blue-Green Deployments, Service Mesh, Istio, Linkerd, Envoy, Observability, Tracing, Jaeger, OpenTracing, Fluentd, Elasticsearch, Kibana, Cloud-Native Technologies, Infrastructure as Code (IaC), Terraform, Configuration Management, Packer, GitOps, Argo CD, Skaffold, Knative, Serverless, FaaS, AWS, Azure, Google Cloud Platform (GCP), Amazon EKS, Azure AKS, Google Kubernetes Engine (GKE), Hybrid Cloud, Multi-Cloud, Security Best Practices, Networking Best Practices, Storage Best Practices, High Availability, Disaster Recovery, Performance Tuning, Resource Quotas, Limit Ranges, Cluster Maintenance, Cluster Upgrades, Backup and Restore, Federation, Multi-Tenancy.
OpenShift, K8S Glossary, K8S Topics, K8S API, kubectl, K8S Package Managers (Helm), K8S Networking, K8S Storage, K8S Secrets and Kubernetes Secrets Management (HashiCorp Vault with Kubernetes), K8S Security (Pentesting Kubernetes, Hacking Kubernetes), K8S Docs, K8S GitHub, Managed Kubernetes Services - Kubernetes as a Service (KaaS): AKS vs EKS vs GKE, K8S on AWS (EKS), K8S on GCP (GKE), K8S on Azure (AKS), K8S on IBM (IKS), K8S on IBM Cloud, K8S on Mainframe, K8S on Oracle (OKE), K8s on DigitalOcean (DOKS), K8SOps, Kubernetes Client for Python, Databases on Kubernetes (SQL Server on Kubernetes, MySQL on Kubernetes), Kubernetes for Developers (Kubernetes Development, Certified Kubernetes Application Developer (CKAD)), MiniKube, K8S Books, K8S Courses, Podman, Docker, CNCF (navbar_K8S - see also navbar_openshift, navbar_docker, navbar_podman, navbar_helm, navbar_anthos, navbar_gitops, navbar_iac, navbar_cncf)
Cybersecurity: DevSecOps - Security Automation, Cloud Security - Cloud Native Security (AWS Security - Azure Security - GCP Security - IBM Cloud Security - Oracle Cloud Security, Container Security, Docker Security, Podman Security, Kubernetes Security, Google Anthos Security, Red Hat OpenShift Security); Identity and Access Management (IAM), OS Security, Java Security, Security, (Mobile Security: Android Security - Kotlin Security - Java Security, iOS Security - Swift Security; Windows Security - Windows Server Security, Linux Security (Ubuntu Security, Debian Security, RHEL Security, Fedora Security), UNIX Security (FreeBSD Security), IBM z Mainframe Security, Passwords, Linux Passwords, Windows Passwords), Passkeys, Hacking (Ethical Hacking, White Hat, Black Hat, Grey Hat), Pentesting (Red Team - Blue Team - Purple Team), Cybersecurity Certifications (CEH, GIAC, CISM, CompTIA Security Plus, CISSP), Mitre Framework, Common Vulnerabilities and Exposures (CVE), Cybersecurity Bibliography, Cybersecurity Courses, Firewalls, Cybersecurity CI/CD, Functional Programming and Cybersecurity, Cybersecurity and Concurrency, Cybersecurity and Data Science - Cybersecurity and Databases, Cybersecurity and Machine Learning, Cybersecurity Glossary (RFC 4949 Internet Security Glossary), Awesome Cybersecurity, Cybersecurity GitHub, Cybersecurity Topics (navbar_security - see also navbar_aws_security, navbar_azure_security, navbar_gcp_security, navbar_k8s_security, navbar_docker_security, navbar_podman_security, navbar_mainframe_security, navbar_ibm_cloud_security, navbar_oracle_cloud_security, navbar_database_security, navbar_firewalls, navbar_encryption, navbar_passwords, navbar_iam, navbar_pentesting, navbar_privacy)
Cloud Monk is Retired (for now). Buddha with you. © 2005 - 2024 Losang Jinpa or Fair Use. Disclaimers
SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.