Table of Contents
Kubernetes Secrets Management Preface
Return to Kubernetes Secrets Management by Alex Soto Bueno and Andrew Block, Kubernetes Secrets Management
Fair Use Source: B0BPTHW6P4 (K8SScrtMg 2023)
As technologists, we are naturally drawn to seeking out innovative ways of solving problems — whether that be through the use of new or existing approaches, frameworks, or technologies. One such technology both authors have been enthralled with over the last few years is Kubernetes. While Docker brought containers to the masses, it was Kubernetes that provided an extensible platform for running containers at scale.
We approached Kubernetes from different ends of the spectrum: one from an infrastructure mindset, understanding what it takes to build a Kubernetes cluster, and the other focusing on applications, looking to take advantage of the capabilities provided by the underlying infrastructure. There are several interwoven themes that apply to both infrastructure and application-focused individuals; one such area that remains a constant, whether using Kubernetes or not, is security.
Security is one of those topics that, while essential, often gets deprioritized or overlooked compared to other areas of interest. What we have found while working with organizations and developers is that they may not understand what types of resources require protections or how they can go about securing them. Those who have started working with Kubernetes are also surprised to learn that Kubernetes itself had very little in terms of security when it was first released. The protection mechanism that became known as Secrets was developed as a solution to provide some form of protection for sensitive assets prior to the initial 1.0. As a result, Secrets provide a minimal level of security, which may come as a surprise, given the name of the resource.
The combination of being potentially unfamiliar with the types of assets that should be secured and how to secure them, the false sense of security offered by the native Kubernetes features, and a myriad of solutions becoming available in this space spells a potential recipe for disaster. Our goal with this book is emphasizing the shift left mentality, in which security becomes a key concern when working with Kubernetes and addresses the capabilities and pitfalls of the included tooling, alternate solutions, and ways these can be incorporated within different parts of the delivery process. We don’t intend — and wouldn’t be able — to address all possible security options, but the concepts and implementations discussed in Kubernetes Secrets Management should enable you to be more successful and secure when working with Kubernetes.
During these challenging times, I’d like to acknowledge Santa (fly, fly), Uri (thanks for all the conversations), Guiri (Vive Le Tour), Gavina, Gabi (thanks for the beers), and Edgar and Ester (yes, it’s Friday); my working teammates Edson, Sebi, Natale, Ana-Maria, Elder, and, of course, Burr and Kamesh (you will be on our team wherever you are) — we are the best team in the world! Also, thanks to Jonathan Vila, Abel Sal-gado, and Jordi Sola for the fantastic conversations about Java and Kubernetes.
Special thanks to all the reviewers who read our manuscript and provided such valuable feedback: Alain Lompo, Atila Kaya, Chris Devine, Clifford Thurber, Deepak Sharma, Giuseppe Catalano, John Guthrie, Jon Moore, Michael Bright, Mihaela Barbu, Milorad Imbra, Peter Reisinger, Robin Coe, Sameer Wadhwa, Satadru Roy, Sushant Bhadkamar, Tobias Ammann, and Werner Dijkerman; your contributions helped improve this book.
Last but certainly not least, I’d like to acknowledge Anna for being here; my parents, Mili and Ramon, who bought me my first computer; and my daughters Alexandra and Ada, “sou les ninetes dels meus ulls.”
— [[ALEX SOTO BUENO]]
Writing a book can be a challenging ordeal while also juggling other responsibilities amid a global pandemic. I would like to acknowledge those that helped reinforce various security concepts, including Raffaele Spazzoli, Bob Callaway, and Luke Hinds. In addition, all those in in the Open Source community who helped build knowledge and stayed connected during these challenging times.
xiii
xiv
ACKNOWLEDGMENTS
But, most importantly, I would like to acknowledge my parents, AnneMarie and A.J., for their pillar of support that keeps me grounded and focused no matter the adversity.
— ANDREW BLOCK
about this book
Kubernetes Secrets Management was written to help you understand how to manage secrets during development, and release an application to the Kubernetes cluster. We begin with an introduction to Kubernetes and setting up the environment in which to run the examples presented in the book. After the introduction, we discuss managing secrets during development time and storing them correctly, either in the code repository or inside the Kubernetes cluster. Finally, we show a cloud Kubernetes-native way of implementing continuous integration and delivery as well as managing secrets in the pipeline.
Kubernetes Secrets Management is for senior developers with minimal experience in Kubernetes who want to expand their knowledge about Kubernetes and secret management. This book is also for operators who want to learn how to manage secrets, including how to configure, deploy, and store these secrets appropriately. While plenty of docs and blog posts to this effect exist online, Kubernetes Secrets Management brings together all that information to one clear, easy-to-follow text, so readers can understand security threats step-by-step, and how to address them.
How this book is organized: A roadmap
This book has three parts that cover eight chapters:
Part 1 explains the fundamentals of security and secrets and the basic Kubernetes concepts essential for understanding the rest of the book.
Chapter 1 introduces what is and is not a secret, why it is important to keep secrets secret, as well as an overview of Kubernetes.
xv
xvi
ABOUT THIS BOOK
Chapter 2 further introduces Kubernetes, its architecture, and the basic concepts for deploying an application with secret data. It also discusses why standard Kubernetes Secrets do not provide sufficient security.
Part 2 covers several security issues you might encounter during the development and deployment of an application to Kubernetes and how to fix them. Moreover, part 2 covers using secret storage to manage application secrets outside of the Kubernetes infrastructure.
Chapter 3 introduces tools and approaches that can store Kubernetes Secrets securely at rest and illustrates the benefits of declaratively defining Kubernetes resources.
Chapter 4 covers the encryption of secrets at rest inside the Kubernetes cluster as well as their integration with a key management service.
Chapter 5 focuses on the importance of using a secrets management tool, such as HashiCorp Vault, to securely store and manage sensitive assets for applications deployed to Kubernetes. It also demonstrates how both applications and Vault can be configured to provide seamless integration with one another.
Chapter 6 expands on the idea, introduced in chapter 5, of using an external secrets management tool — this time focusing on cloud secrets stores, including Google Secret Manager, Azure Key Vault, and AWS Secrets Manager.
Part 3 introduces a way of implementing Kubernetes-native continuous integration and delivery with Tekton and Argo CD and managing secrets correctly.
Chapter 7 covers delivering quality applications rapidly to hit the market sooner and, better yet, managing the secrets correctly throughout the pipeline, so no secrets leak in this phase of development.
Chapter 8 covers using continuous deployment and GitOps methodology to deploy and release services to a Kubernetes cluster by using Argo CD to deliver quality applications rapidly, while correctly managing the secrets throughout the pipeline, and ensuring no secrets leak in this phase of the development.
The reader may skip the second chapter if they have a good knowledge of Kubernetes (e.g., Deployments, Services, volumes, and ConfigMaps) and minikube.
About the code
This book contains many examples of source code both in numbered listings and in line with normal text. In both cases, source code is formatted in a fixed-width font like this to separate it from ordinary text. Sometimes code is also in bold to highlight code that has changed from previous steps in the chapter, such as when a new feature adds to an existing line of code.
In many cases, the original source code has been reformatted; we’ve added line breaks and reworked indentation to accommodate the available page space in the book. In rare cases, even this was not enough, and listings include line-continuation
ABOUT THIS BOOK
xvii
markers (➥). Additionally, comments in the source code have often been removed from the listings when the code is described in the text. Code annotations accompany many of the listings, highlighting important concepts.
You can get executable snippets of code from the liveBook (online) version of this book at https://livebook.manning.com/book/kubernetes-secrets-management. The
complete code for the examples in the book is available for download from the Manning website at www.manning.com, and from GitHub at https://github.com/lordof
thejars/kubernetes-secrets-source.
Purchase of Kubernetes Secrets Management includes free access to liveBook, Manning’s online reading platform. Using liveBook’s exclusive discussion features, you can attach comments to the book globally or to specific sections or paragraphs. It’s a snap to make notes for yourself, ask and answer technical questions, and receive help from the author and other users. To access the forum, go to https://livebook.manning
.com/book/kubernetes-secrets-management/discussion. You can also learn more
about Manning’s forums and the rules of conduct at https://livebook.manning.com/
discussion.
Manning’s commitment to our readers is to provide a venue where a meaningful dialogue between individual readers and between readers and the authors can take place. It is not a commitment to any specific amount of participation on the part of the authors, whose contribution to the forum remains voluntary (and unpaid). We suggest you try asking the authors some challenging questions lest their interest stray!
The forum and the archives of previous discussions will be accessible from the publisher’s website for as long as the book is in print.
about the authors
ALEX SOTO BUENO is a Director of Developer Experience at Red Hat. He is passionate about the Java world, and software automation, and believes in the open-source software model. Alex is the co-author of Testing Java Microservices, Quarkus Cookbook, Securing Kubernetes Secrets, and contributor to several open-source projects. A Java Champion since 2017, Alex is also an international speaker, radio collaborator at Onda Cero, and teacher at Salle URL University. You can follow Alex on Twitter (@alexsotob) to stay tuned to what’s going on in Kubernetes and the Java world.
ANDREW BLOCK is a Distinguished Architect at Red Hat who works with organizations to design and implement solutions leveraging cloud native technologies. He specializes in continuous integration and continuous delivery methodologies to reduce delivery time and automate how environments are built and maintained. He is also the co-author of Learn Helm, which introduces how to package applications for deployment in a Kubernetes environment. Andrew is also a contributor to several open-source projects and emphasizes the benefits of working together to build and maintain Communities of Practice. Andrew can be found on Twitter at @sabre1041 where he frequently shares the latest and greatest headlines and tips in the field of emerging tech.
xviii
about the cover illustration
The figure on the cover of Kubernetes Secrets Management is captioned “Femme Mokschane,” or “Mokshan woman,” taken from a collection by Jacques Grasset de Saint-Sauveur, published in 1797. Each illustration is finely drawn and colored by hand.
In those days, it was easy to identify where people lived and what their trade or sta-tion in life was just by their dress. Manning celebrates the inventiveness and initiative of the computer business with book covers based on the rich diversity of regional cul-ture centuries ago, brought back to life by pictures from collections such as this one.
xix
xx
Fair Use Sources
Kubernetes: Kubernetes Fundamentals, K8S Inventor: Google
Kubernetes Pods, Kubernetes Services, Kubernetes Deployments, Kubernetes ReplicaSets, Kubernetes StatefulSets, Kubernetes DaemonSets, Kubernetes Namespaces, Kubernetes Ingress, Kubernetes ConfigMaps, Kubernetes Secrets, Kubernetes Volumes, Kubernetes PersistentVolumes, Kubernetes PersistentVolumeClaims, Kubernetes Jobs, Kubernetes CronJobs, Kubernetes RBAC, Kubernetes Network Policies, Kubernetes Service Accounts, Kubernetes Horizontal Pod Autoscaler, Kubernetes Cluster Autoscaler, Kubernetes Custom Resource Definitions, Kubernetes API Server, Kubernetes etcd, Kubernetes Controller Manager, Kubernetes Scheduler, Kubernetes Kubelet, Kubernetes Kube-Proxy, Kubernetes Helm, Kubernetes Operators, Kubernetes Taints and Tolerations
Kubernetes, Pods, Services, Deployments, Containers, Cluster Architecture, YAML, CLI Tools, Namespaces, Labels, Selectors, ConfigMaps, Secrets, Storage, Persistent Volumes, Persistent Volume Claims, StatefulSets, DaemonSets, Jobs, CronJobs, ReplicaSets, Horizontal Pod Autoscaler, Networking, Ingress, Network Policies, Service Discovery, Load Balancing, Security, Role-Based Access Control (RBAC), Authentication, Authorization, Certificates, API Server, Controller Manager, Scheduler, Kubelet, Kube-Proxy, CoreDNS, ETCD, Cloud Providers, minikube, kubectl, Helm, CI/CD, Docker, Container Registry, Logging, Monitoring, Metrics, Prometheus, Grafana, Alerting, Debugging, Troubleshooting, Scaling, Auto-Scaling, Manual Scaling, Rolling Updates, Canary Deployments, Blue-Green Deployments, Service Mesh, Istio, Linkerd, Envoy, Observability, Tracing, Jaeger, OpenTracing, Fluentd, Elasticsearch, Kibana, Cloud-Native Technologies, Infrastructure as Code (IaC), Terraform, Configuration Management, Packer, GitOps, Argo CD, Skaffold, Knative, Serverless, FaaS, AWS, Azure, Google Cloud Platform (GCP), Amazon EKS, Azure AKS, Google Kubernetes Engine (GKE), Hybrid Cloud, Multi-Cloud, Security Best Practices, Networking Best Practices, Storage Best Practices, High Availability, Disaster Recovery, Performance Tuning, Resource Quotas, Limit Ranges, Cluster Maintenance, Cluster Upgrades, Backup and Restore, Federation, Multi-Tenancy.
OpenShift, K8S Glossary, K8S Topics, K8S API, kubectl, K8S Package Managers (Helm), K8S Networking, K8S Storage, K8S Secrets and Kubernetes Secrets Management (HashiCorp Vault with Kubernetes), K8S Security (Pentesting Kubernetes, Hacking Kubernetes), K8S Docs, K8S GitHub, Managed Kubernetes Services - Kubernetes as a Service (KaaS): AKS vs EKS vs GKE, K8S on AWS (EKS), K8S on GCP (GKE), K8S on Azure (AKS), K8S on IBM (IKS), K8S on IBM Cloud, K8S on Mainframe, K8S on Oracle (OKE), K8s on DigitalOcean (DOKS), K8SOps, Kubernetes Client for Python, Databases on Kubernetes (SQL Server on Kubernetes, MySQL on Kubernetes), Kubernetes for Developers (Kubernetes Development, Certified Kubernetes Application Developer (CKAD)), MiniKube, K8S Books, K8S Courses, Podman, Docker, CNCF (navbar_K8S - see also navbar_openshift, navbar_docker, navbar_podman, navbar_helm, navbar_anthos, navbar_gitops, navbar_iac, navbar_cncf)
Cybersecurity: DevSecOps - Security Automation, Cloud Security - Cloud Native Security (AWS Security - Azure Security - GCP Security - IBM Cloud Security - Oracle Cloud Security, Container Security, Docker Security, Podman Security, Kubernetes Security, Google Anthos Security, Red Hat OpenShift Security); Identity and Access Management (IAM), OS Security, Java Security, Security, (Mobile Security: Android Security - Kotlin Security - Java Security, iOS Security - Swift Security; Windows Security - Windows Server Security, Linux Security (Ubuntu Security, Debian Security, RHEL Security, Fedora Security), UNIX Security (FreeBSD Security), IBM z Mainframe Security, Passwords, Linux Passwords, Windows Passwords), Passkeys, Hacking (Ethical Hacking, White Hat, Black Hat, Grey Hat), Pentesting (Red Team - Blue Team - Purple Team), Cybersecurity Certifications (CEH, GIAC, CISM, CompTIA Security Plus, CISSP), Mitre Framework, Common Vulnerabilities and Exposures (CVE), Cybersecurity Bibliography, Cybersecurity Courses, Firewalls, Cybersecurity CI/CD, Functional Programming and Cybersecurity, Cybersecurity and Concurrency, Cybersecurity and Data Science - Cybersecurity and Databases, Cybersecurity and Machine Learning, Cybersecurity Glossary (RFC 4949 Internet Security Glossary), Awesome Cybersecurity, Cybersecurity GitHub, Cybersecurity Topics (navbar_security - see also navbar_aws_security, navbar_azure_security, navbar_gcp_security, navbar_k8s_security, navbar_docker_security, navbar_podman_security, navbar_mainframe_security, navbar_ibm_cloud_security, navbar_oracle_cloud_security, navbar_database_security, navbar_windows_security, navbar_linux_security, navbar_macos_security, navbar_android_security, navbar_ios_security, navbar_os_security, navbar_firewalls, navbar_encryption, navbar_passwords, navbar_iam, navbar_pentesting, navbar_privacy)
© 1994 - 2024 Cloud Monk Losang Jinpa or Fair Use. Disclaimers
SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.