Project leaders of an open-source plug-in for Kubernetes that enables orchestration software to better use encryption to protect its secrets have announced support for its first key management provider. The move is a step forward for Trousseau, the plugin that creates a universal way to protect secrets in Kubernetes.
Without Keychain, managing secrets to protect sensitive data in Kubernetes can be complicated. Many components need to be created to support the process, which can be a headache for security teams. With Keychain, secrets management can be easily added to Kubernetes, along with support for all key management encryption providers.
HashiCorp Vault is the first key management system vendor to be announced for the plugin by project manager Ondat, but more are planned later.
Secrets management in Kubernetes has always been difficult
“There have been previous projects that attempted to address this issue, but they required the addition of many components,” said Romuald Vandepoel, principal cloud architect at Ondat and project manager for Trousseau, in a press release. . “Naturally, security teams don’t like this approach because it introduces additional complexity that makes security more difficult.”
“Managing secrets has always been one of the toughest problems in Kubernetes,” he added.
Trousseau acts as agent
Keychain uses Kubernetes etcd to store API object definitions and states. Kubernetes secrets are shipped in the etcd key-value store database using a running envelope encryption scheme with a remote transit key stored in a KMS.
Secrets protected and encrypted with Keychain and its native Kubernetes integration can connect to a KMS to secure database credentials, a configuration file or a TLS certificate containing critical information and easily accessible by an application using the standard Kubernetes API primitives.
“Kubernetes talks to Trousseau – they speak the same language – and then it’s Trousseau’s job to talk to the major management system vendors and act as a translator,” said Nicolas Vermande, principal developer advocate at Ondat. , at CSO. “Trousseau acts as a proxy that allows Kubernetes to talk to the KMS provider’s backend without any friction.”
Getting the “right” cloud native security
Ratan Tipirneni, President and CEO of Tigera, a container security provider, explains that the right cloud-native security requires the right security architecture. “An important part of this architecture is being able to secure passwords, API keys, and secrets in a way that supports the highly dynamic and automated nature of Kubernetes,” he said. “We also believe that all components of the security architecture should be implemented kube-natively, so that day two operations do not expose new holes as various components are continuously upgraded.”
“That’s why we think Trousseau’s kube-natively implemented approach to secrets management is an elegant architecture,” says Tipirneni.
Many security issues stem from developers being under pressure to get things out quickly and the difficulty of building systems or code securely, adds Mike Parkin, engineer at Vulcan Cyber, a remediation SaaS provider. corporate cyber risks. “Managing secrets in Kubernetes is a known challenge, so a project like this that makes it easier is welcome. Being an open source project should help with adaptation and having lots of eyes on the code will help to keep safe.”
Copyright © 2022 IDG Communications, Inc.