Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Your secret’s safe with meLiz Rice
@LizRice | @AquaSecTeam
2
Secrets
@LizRice | @AquaSecTeam
3
Desirable security features for container secrets
■ Encrypted■ At rest and in transit■ Only decrypted in memory
■ Access control■ Only accessible by containers that need them
■ Life-cycle■ Rotation, revocation, audit logging
@LizRice | @AquaSecTeam
4
Secret life-cycle
■ Risk of leak increases over time■ Exploit■ Bad actor■ Accidental logging
■ Change secret values (“rotation”)
■ Token lifetime & use limit
@LizRice | @AquaSecTeam
5
Tokens all the way down
@LizRice | @AquaSecTeam
■ If your secret is in a secret store, how do you get access? ■ How do you keep the access token secret?
xkcd.com/1416
Passing secrets to containers
7
Bad places for secrets
@LizRice | @AquaSecTeam
■ Source code
■ Dockerfiles / images
8
docker run -v VARNAME=secret ...
Environment variables
@LizRice | @AquaSecTeam
9
docker run -v /hostsecrets:/secrets ...
Mounted volume
@LizRice | @AquaSecTeam
Orchestrator support for secrets
11
Docker Swarm
@LizRice | @AquaSecTeam
■ Secrets support built in■ Mounted to a temporary fs■ Encrypted transmission with mutual authentication
12
Docker Swarm
@LizRice | @AquaSecTeam
■ Secrets support built in■ Mounted to a temporary fs■ Encrypted transmission with mutual authentication■ Files, not env vars■ Restart service to change secret value■ RBAC in Enterprise Edition
13
Kubernetes
@LizRice | @AquaSecTeam
■ Stored unencrypted in etcd■ HTTP in transit by default■ Files and env vars
■ Files support updating secret values■ Need to restart pod to get new env var value
■ Files mounted into the host■ RBAC can be turned on --authorization-mode=RBAC
14
OpenShift
@LizRice | @AquaSecTeam
■ As Kubernetes, but with namespaced projects & RBAC
15
DC/OS
@LizRice | @AquaSecTeam
■ Encrypted in ZooKeeper■ Access control by service path■ Env vars■ Restart service to update value
16
Rancher
@LizRice | @AquaSecTeam
■ Experimental secrets support
17
Nomad
@LizRice | @AquaSecTeam
■ Integrated with Vault■ Tasks get tokens so they can retrieve values from Vault
■ Poll for changed values■ Access control
18
Aqua secrets
@LizRice | @AquaSecTeam
■ Any orchestrator■ Secrets encrypted in Vault, Amazon KMS or Aqua DB
■ Env vars injected into container process memory■ Secret can be injected to a tempfs filesystem■ Supports updating secrets without restart of container■ Supports monitoring of secret usage
■ Limit access to designated containers
Summary
20
Secrets decisions
@LizRice | @AquaSecTeam
Your best option depends on ■ choice of orchestrator■ acceptable level of risk
Aqua White Paper on secrets management coming very soon
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Questions? Liz Rice
@LizRice | @AquaSecTeam