Enterprise Grade Secret Management using Vault for Kubernetes

Overview 

The standard for container orchestration now is Kubernetes. A large part of existing workloads is still running on virtual machines, either in the public cloud or in private data centres, with organizations slowly adopting container first development structure. Most businesses are now facing migration to Kubernetes from their previous methods.

Kubernetes migration affects the entire release process, including monitoring, logging, CI / CD, and most importantly, security. Security can be controlled at both cluster level and application level as well.

In this article, we’ll try to gain more insight into how we within Kubernetes can effectively manage secrets.

In Kubernetes, a hidden object maintains sensitive information such as API activation keys, OAuth tokens, and database passwords. If you are running different Kubernetes clusters for different environments, you might want to store all your environment-specific secrets in a single place. Then, make sure your organization has a secret management tool which can smartly identify the environment the pod is deployed in and fetch secrets accordingly.

Vault is a tool providing a solution for securely accessing secrets offering enterprise requirements like 

  • Single source of secrets
  • Programmatic application access
  • Operator access
  • Practical security
  • Modern DataCenter friendly

 How it works

The suggested method of installation is via the new Vault Helm Chart which now supports the functionality of vault-k8s injection.

The diagram below shows how a Kubernetes API request is made using the vault-k8s webhook to intercept and modify the pod configurations.

Admission Controller Phases -Enterprise-Grade Secret Management using Vault for Kubernetes
Admission Controller Phases

The design is inspired from Guide to Kubernetes Admission Controllers.

 Integrating Vault for Multi-Cloud Secret Management 

HashiCorp’s Vault allows teams to store securely and tightly control access to encryption keys, certificates, passwords and tokens for protecting sensitive information. Vault will enable teams to centrally manage and securely store secrets across multiple clouds and on-premises infrastructure using a single system ensuring reliable protection through a single workflow

The Vault API exposes cryptographic operations for developers to secure the sensitive information/data without making encryptionHashiCorp’s Vault allows teams to store securely and tightly control access to encryption keys, certificates, passwords and tokens for protecting confidential information. Vault enables teams to manage and securely store secrets across multiple clouds centrally and on-premises infrastructure using a single system ensuring reliable protection through a single workflow

The Vault API exposes cryptographic operations for developers to secure sensitive information/data without making encryption keys gets revealed. Vault also can behave as a certificate authority (CA), to provide dynamic short-lived certificates to secure communications with SSL/TLS.

Moreover, Vault enables brokering identities across different platforms, such as AWS IAM, LDAP (Lightweight Directory Access Protocol ) and Active Directory into unified identities allowing applications to work across platform boundaries without encryption keys gets revealed. Vault also can behave as a certificate authority (CA), to provide dynamic short-lived certificates to secure communications with SSL/TLS. Moreover, Vault enables brokering identities across different platforms, such as AWS IAM, LDAP (Lightweight Directory Access Protocol ) and Active Directory into unified identities allowing applications to work across platform boundaries.

 Disadvantages of using Vault for Kubernetes

  • Vault provides an auth mechanism for Kubernetes to authenticate the clients using a Service Account Token. But, the client is still responsible for managing the token’s life cycle. The next challenge, therefore, is to manage token lifecycle in a standardized manner without the need to write custom logic.
  • Sometimes Vault adds chicken-and-egg problems like situations. For service to read from the vault, a secret key for that service is required and every time creating a new vault secret for newly born service, a kubernetes secret is required. This way things may become more Complex 

 Conclusion  

Most companies have an IT architecture that includes multiple data centres. Vault offers critical services in the fields of identity management, secret protection, regulation and compliance. Such technology is intended to be widely accessible and scaled up as the number of clients and their technical requirements increase; at the same time, operators would like to guarantee that a standard collection of policies is applied internationally.

You may also like Kubernetes Security Services and Solutions 


Leave a Comment

Name required.
Enter a Valid Email Address.
Comment required.(Min 30 Char)