HashiCorp Vault and Secret Management in Kubernetes
Feb 13, 2019
Co-founder Armon Dadgar talks at KubeCon about how HashiCorp Vault can make secrets management easier with Kubernetes.
- Armon DadgarFounder & Co-CTO, HashiCorp
Secret data is everywhere, from database credentials, TLS certificates, API tokens, to encryption keys. Managing secrets is a difficult challenge, but HashiCorp Vault provides an answer.
In this talk, Armon Dadgar, HashiCorp co-founder and CTO, discusses the challenges in secret management, provides an overview of Vault, and discusses how Vault and Kubernetes can be integrated.
Integrating Vault and Kubernetes solves the basic secrets-management challenge of securely distributing credentials, but also lets Kubernetes apps securely manage data in transit and at rest, via features like dynamic secrets and cryptographic offload.
What you'll learn
- What is a "secret"?
- Hard questions: How do we acquire secrets? How are they updated/revoked/used? What if they're compromised?
- The state of the art is not great
- Enter: HashiCorp Vault—a single source of truth, with APIs, operations access; practical and fits into a modern data center
- Vault features and security principles
- Secure secret storage—table stakes
- Dynamic secrets—leased, unique per app, generated on demand
- Applying consistent policy for users and apps
- High availability
- Protecting against insider attack—needs a quorum to unseal the master key
- The K8S auth backend for Vault binds service accounts to Vault roles, uses the
TokenReviewAPI to cryptographically validate JWTs, and does it natively—no service brokers required