Build & maintain complex distributed systems
17–18 October 2017: Training
18–20 October 2017: Tutorials & Conference
London, UK

Your (container) secret's safe with me.

Liz Rice (Aqua Security)
13:1513:55 Thursday, 19 October 2017
Orchestration, Scheduling, and Containers
Location: King's Suite - Sandringham
Average rating: ****.
(4.25, 8 ratings)

Who is this presentation for?

  • DevOps engineers and security engineers

Prerequisite knowledge

  • A working knowledge of Linux and simple commands like ls and ps
  • Familiarity with containerization and orchestration concepts (e.g., when you run a container under an orchestrator, it's up to the orchestrator to pick a machine in the cluster where it will run)

What you'll learn

  • Understand some of the ways that your secrets can be placed at risk, especially under default settings
  • Learn some practical approaches to mitigate those risks

Description

The 12-Factor App manifesto has trained us to pass configuration information into containers in the form of environment variables. In many cases, that config information includes secrets, such as passwords and certificates that allow containers to identify and communicate with each other. If those secrets are leaked, an attacker has information that could enable a serious system compromise.

Liz Rice outlines some of the ways that your secrets are more accessible than you might think. For example, did you know that any environment variable in a container is easily accessible from the host machine? Liz covers approaches for encrypting your secrets and explains how these can be set up under orchestrators like Docker Swarm and Kubernetes, including key management systems and key rotation.

Actions speak louder than words, so Liz also digs into the technical details with live demonstrations and concludes by sharing a checklist of things to address to keep your container secrets secure.

Topics include:

  • How plain-text environment variables are accessible to the host through the /proc pseudo-filesystem
  • How orchestrators like Docker Swarm and Kubernetes pass secret information around in a deployment
  • The pros and cons of the approaches taken by Docker Swarm and Kubernetes, including whether the information is encrypted in transit or at rest
  • Key rotation and key management systems like HashiCorp Vault
Photo of Liz Rice

Liz Rice

Aqua Security

Liz Rice is the technology evangelist at container security specialists Aqua Security and coauthor of the O’Reilly report Kubernetes Security. She has a wealth of software development, team, and product management experience from her years spent working on network protocols and distributed systems and in digital technology sectors such as video on demand (VOD), music, and voice over internet protocol (VoIP). When not building startups and writing code, Liz loves riding bikes in places with better weather than her native London or racing in virtual reality on Zwift.