Managing Sensitive Data in Kubernetes with Sealed Secrets and External Secrets Operator (ESO)

Рет қаралды 5,583

2 жыл бұрын

Secrets are native Kubernetes resources saved in the cluster data store (i.e. etcd database) and can be made available to your containers at runtime. However, using Secrets optimally isn't so straightforward. There are a number of inherent risks that exist around them. Most of which stem from the fact that, by default, Secrets are stored in a non-encrypted format (base64 encoding) in the etcd datastore. In this video, I'll talk about how you can use Sealed Secrets for "one-way" encryption of your Kubernetes Secrets, as well as how to securely access and expose sensitive data as Secrets from centralized secret management systems (i.e. AWS Secrets Manager) with the External Secrets Operator (ESO).
#kubernetes
Resources:
Bitnami Sealed Secrets - github.com/bitnami-labs/sealed-secrets
Mozilla SOPS - github.com/mozilla/sops
External Secrets Operator (EOS) - external-secrets.io/
Timestamps:
0:00 - Introduction
0:27 - Managing Secrets in Kubernetes
01:40 - Bitnami Sealed Secrets Overview
02:52 - Bitnami Sealed Secrets Example
05:59 - Using Centralized Secrets Managers
06:50 - External Secrets Operator (ESO) Overview
07:47 - External Secrets Operator Example with AWS Secrets Manager
Connect:
GitHub: github.com/LukeMwila
Twitter: LuKE9ine
Medium: medium.com/@outlier.developer
LinkedIn: www.linkedin.com/in/lukonde-mwila-25103345/
If you found this video helpful, please like the video and subscribe to the channel!

Пікірлер: 9

@danshepard6851 8 ай бұрын

Hey dude, you really helped me with setting this up, even better than AWS's Containers from the Couch. You'll probably never see this, but I really appreciate it!

@thaaSavage89 2 жыл бұрын

Another fantastic tutorial! You do such a great job at simplifying key concepts which makes the topic so much easier to understand. I currently don't work with K8s but I managed to follow every single minute of this video and learn something!

@mijhaelcastrociviero2848 Жыл бұрын

great tutorial! I think external secrets fits better when you have to manage many kubernetes clusters

@rafaeljhr9581 Жыл бұрын

awesome!

@teebu Жыл бұрын

So if you want to use ESO you need to store the credentials in your cluster to retrieve them? Which forces you to use sealed secrets?

@LukondeMwila Жыл бұрын

Hey there. You're not forced to use sealed secrets. It's just one approach I recommend as opposed to having an unecrypted secret in your cluster. Also, having a sealed secret means you can store it in a git repo (for gitops deployments) as opposed to manually creating the secret for every environment. Some teams still opt for the latter (the manual approach). You can also use mozilla SOPS or helm secrets as an alternative to sealed secrets. Another approach is to use an OIDC token with the secret that the ESO secret store references.

@joebowbeer 11 ай бұрын

IRSA ftw?

@CRISTIANESTUPINAN Жыл бұрын

and using LENS can I still see the secrets or could it no longer be done?

@joebowbeer 11 ай бұрын

Yes. k8s secrets are best avoided, for the reason you state, among others. Encrypted volumes (e.g., ASCP) are preferred in terms of security. But currently ESO is easier to use with AWS parameter store and secret manager than ASCP, in many cases, so it's a tradeoff.