Using CredHub for Kubernetes Deployments

Using CredHub for Kubernetes
Peter Blum
Pivotal
@_pblum
Eugene Kiselev
Altoros

Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
All Applications Have Secrets!
2

• For Databases
• For Messaging Queues
• For Internal Services
• Everything?

Kubernetes Secrets
3

• Secrets enable developers not to
place secrets in manifests instead use
parameters
• Secrets are base64 encoded
• Secrets stored in etcd along with all
other K8s objects

Configuring Credentials is Hard
Equifax: Website secured by `admin`, `admin`
Leaking Credentials is Easy
Uber: Code found on github which included usernames and
passwords
Detecting Credential Leaks is Hard
Equifax: Hackers accessed files on nearly half the U.S.
population.
G
enerate
Encrypt
Log
Access
Rotate
Story of CredHub

Configuring Credentials is Hard
Equifax: Website secured by `admin`, `admin`
Leaking Credentials is Easy
Uber: Code found on github which included usernames and
passwords
Detecting Credential Leaks is Hard
Equifax: Hackers accessed files on nearly half the U.S.
population.
G
enerate
Encrypt
Audit
Rotate
Story of CredHub

CredHubCredHub
CLI
BOSH
Config Server
REST
Client
Authentication
Provider
Backing SQL
Database
Encryption
Provider
(HSM)
CredHub Architecture

Operations
• Get/Set/Generate/Delete Credential
• Get/Add/Delete Permission
• Interpolate (VCAP_SERVICES)
Authentication
• Mutual TLS
• OAuth2 with UAA
https://credhub-api.cfapps.io
• value - a simple string, used for configuration and other non-generated properties
• password - a simple string, used for generated secrets
• user - username and password pair
• json - a JSON object
• certificate - an object containing a root CA, certificate and private key
• rsa - an object containing an RSA public key and private key
• ssh - an object containing an SSH-formatted public key and private key
CredHub API
Credential types

Credhub features and benefits
● Stateless
● Scalable
● Supports HSM
● 100% free
● Granular Access
control
● Several creds types (passwords,
keys, certs)
● Json cred type for customization

Credhub deployment types
Credhub NEAR Kubernetes

Credhub(s) INSIDE the k8s
Great. Smth else for k8s?
??

Helm. Package manager for kubernetes
Helm
Package Manager (pip or npm)
Focus on Managing Applications
Charts
How to install applications
How to upgrade applications
Value
Fast & Simple
Full representation of K8s API
All yaml -- no golang required
Huge existing library of application
charts

postgreSQL
UAA
credhub
deployment
secret
service
deployment secret config-map
service
Credhub chart architecture

K8s Secrets
ETCD Encrypting isn’t easy or the
default
Base64 encoding is NOT
encryption
Secrets exposed when master
VMs are compromised
K8s + CredHub Idea
Why CredHub
Organization wide solution
Auditing
Credential Generation
Storage
Encryption
Native integration into CF and now
K8s!
Pre-existing with Pivotal
Application Service, or OSS Cloud
Foundry.

Integration with Kubernetes
Generating Credentials
Goal:
Secured Secret
Implementation:
Custom Resource Definitions
Operators API
API Extension Server
Kubebuilder
Service Catalog
Injecting Credentials
Goal:
Pull Creds at Runtime and Place Into Pod
Implementation:
Mutating Admission Webhook
Custom Kubernetes Controller
Init Containers

Kube - API
(Master)
Requested
Container(s)Credhub
Secrets
Volume
CredHub
Webhook
Credhub
Controller
Credhub Init
Container
Requested Pod
Control Plane Runtime Plane
Credhub Service
credhub.pivotal.io
Super Secret
Credential
Springone Namespace
x509 Cert
(ns:springone)
Integration with Kubernetes

Learn More. Stay Connected.
How to deploy, helper deployment scripts, etc...
PRs Welcomed!
https://github.com/Oskoss/kubernetes-credhub
17
#springone@s1p

Ideas for Credhub Operator
How control works:
● Operator listens for k8s create secret command
● Intercepts command
● Determines what namespace you are in
● Stores secret in credhub adding a permission that ONLY allows namespace X
to access secret
1
8

How runtime works:
• Init container looks at your k8s deployment
• If init container finds secrets
• Init container authenticates with credhub
• Init container pulls secrets for you
• Init container puts secrets into the environment for you
• We could even put it onto disk if we wanted to but this would be
something we could do if we have time
1
9

Open questions:
Secrets are scoped to namespaces. Are we okay with allowing everyone in the
namespace access all secrets in credhub? (Not a bad thing, if required can create
new namespace per application)
Do we need to create a new user every time a new namespace is created? No, at
least to start we can have a `credhub_admin` that creates and manages all
secrets but tags the namespace with the secret
How about K8s operator to deploy credhub itself? Eugine is going to do some
research around this to determine if we deploy new credhub per namespace or
have a single one per cluster. (Definitely will deploy credhub in a cluster)
How about deletion? Let’s put this in the icebox for now.
2
0

Credhub bosh deployment
Bosh - the main deployment tool
● Mature
● Secure
● Flexible
● Reliable
● Comfortable (of course if you comfortable with bosh)
Credhub release is living here:
https://github.com/pivotal-cf/credhub-release

Helm - client
Tiller - server
Helm architecture
Tiller

Helm chart
● k8s deployment objects representation
● Parameters
● And set of dependencies

Helm chart deployment
Helm-chart filesvariables
Container image

Prerequisites
No need to push subchart, local dir accepted

Credhub chart structure

uaa.yml as config-map
Sensitive data as secrets
UAA chart
config-map
UAA.yaml
secret

UAA chart deployment

UAA chart secrets

UAA chart config-map

Pivotal Logos on Light Background
Looking for more Pivotal logos, PCF services icons, or OSS logos?
Visit: brandfolder.com/pivotal-assets
3
2

Sample Table
33
2007 2008 2009 2010
Category 1 2.4 6.4 4.1 6.6
Category 2 8.2 4.5 3.2 3.8
Category 3 4.6 3.2 1.9 9.6
Category 4 6.7 3.3 3.4 2.2
Category 5 4.3 5.6 7.1 3.4

Design Assets

> Stay Connected.
<Your CTA>
<Related Session>
#springon
e
@s1p

Brand Colors
SpringOne Platform
2018 Primary Colors
3
6
Spring
Brand Color
Pivotal
Brand Color

STOP! Download Fonts Now
PLEASE DOWNLOAD AND INSTALL PROXIMA NOVA FONTS BEFORE CREATING YOUR PRESENTATION. You can download
the fonts here…
https://brandfolder.com/pivotal Password: keepitsimple
Fonts included in the ZIP file:
Proxima Nova (headline and body text)
http://www.fontspring.com/support/installing/how-do-i-install-fonts-on-my-mac
http://www.fontspring.com/support/installing/how-do-i-install-fonts-on-my-windows-pc
3
7

Body Slide - Dark Background
All body text is Proxima Nova Regular
• Subhead
• Level Two
• Level Three
• Level Four
3
8

Two Columns – Dark Background
Lorem ipsum dolor sit amet,
consectetuer adipiscing elit. Aenean
commodo ligula eget dolor. Aenean
massa. Cum sociis natoque penatibus
et magnis dis parturient montes,
nascetur ridiculus mus. Donec quam
felis, ultricies nec, pellentesque
3
9
Lorem ipsum dolor sit amet,
consectetuer adipiscing elit. Aenean
commodo ligula eget dolor. Aenean
massa. Cum sociis natoque penatibus
et magnis dis parturient montes,
nascetur ridiculus mus. Donec quam
felis, ultricies nec, pellentesque

Code Slide
4
0
// This is Roboto Mono: 42pt or higher please
public class TransferServiceImpl implements TransferService {
public TransferServiceImpl(AccountRepository ar) {
this.accountRepository = ar;
}
…
}

Pivotal Logos on Dark Background
41
Looking for more Pivotal logos, PCF services icons, or OSS logos?
Visit: brandfolder.com/pivotal-assets

Event Logos
4
2
On dark
Horizontal Vertical
On light
On mint

Spring Logo and Project Icons
43
Spring
Framework
Spring
Security
Spring
Data
Spring
Batch
Spring
Integration
Project
Reactor
Spring
AMQP
Spring
Hateoas
Spring
Mobile
Spring
Android
Spring
Social
Spring
Web Services
Spring
Web Flow
Spring
XD
Spring
Boot
Spring
LDAP
Spring Tool
Suite
Spring Cloud
Data Flow
Spring
Kafka
Spring
Cloud

Using CredHub for Kubernetes Deployments

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Using CredHub for Kubernetes Deployments

Similar to Using CredHub for Kubernetes Deployments (20)

More from VMware Tanzu

More from VMware Tanzu (20)

Recently uploaded

Recently uploaded (20)

Using CredHub for Kubernetes Deployments