|
| 1 | +# Manage secrets in K8s using GitOps without compromising security |
| 2 | + |
| 3 | +Source: |
| 4 | + |
| 5 | +- <https://platformengineering.org/talks-library/manage-secrets-in-k8s-using-gitops-without-compromising-security> |
| 6 | +- <https://kubernetes.io/docs/concepts/configuration/secret/> |
| 7 | + |
| 8 | +You're probably well aware that storing sensitive data in a cluster is extremely foolhardy. This is true even if you follow best practices for Kubernetes Secrets. |
| 9 | + |
| 10 | + |
| 11 | + |
| 12 | +- For starters, K8s stores secrets as base64-encoded, encrypted strings -> anyone can easily reverse the encryption. |
| 13 | +- Storing secrets in Git is a common vulnerability that ultimately lengthens your to-do list. |
| 14 | +- K8s supports encrypting secret data at rest, which you should take advantage of. For this to succeed, you'll need to enable etcd and define a config specifying encryption resource targets by name. |
| 15 | +- Unfortunately, encrypt-at-rest has its weaknesses too. Many organizations forget to limit cluster admin roles properly or remove secrets, making it pretty simple to peek behind the curtain. If you go this route, it's essential to implement the correct role-based access controls to manage who can access what. |
| 16 | + |
| 17 | +The nice thing about the GitOps way is that you still get to be flexible, which enables you to use what suits your organization. Rajith shared two major options: Storing the encrypted secret and storing a reference to a secret. |
| 18 | + |
| 19 | + |
| 20 | + |
| 21 | +- Storing an encrypted secret: |
| 22 | + - Create a secret that only a few people can decrypt using an automation tool like [Bitnami Sealed Secret](https://github.com/bitnami-labs/sealed-secrets) or [Mozilla SOPS](https://github.com/mozilla/sops). |
| 23 | + - Your automation tool encrypts the secret as you store it in Git. When it's time to decrypt and create a Kubernetes Secret, the tooling steps up to the plate again to handle the details. |
| 24 | +- Storing a reference to a secret: |
| 25 | + - When storing a reference to a secret, you store the secrets in some kind of backend such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc. |
| 26 | + - use a tool like the [External Secrets Operator](https://external-secrets.io/) to declaratively specify which secrets you need and where they need to be stored in your Git repo. |
| 27 | + |
| 28 | +With the encrypted secret method, it doesn't matter if someone gets into your repo, the key isn't there. Yes, you do need to worry about key rotation and other security practices, but it's a sound technique if you're just getting started. |
| 29 | + |
| 30 | +Storing a reference achieves a few important goals. It lets developers clearly communicate to the platform engineering or SRA teams what to provision in the secret store. The reference option also appeals from the management point of view since storing secrets in a purpose-built tool grants you audit logs and other features that promote security and scalability. |
| 31 | + |
| 32 | +Again, this is one area where it's OK to explore. Do what suits your organization best from a maintainability and sustainability perspective. |
0 commit comments