New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: Is it possible to get Kubernetes keep its Secrets in HashiCorp Vault #10439
Comments
This was discussed very briefly as something to explore after 1.0 On Fri, Jun 26, 2015 at 5:12 PM, akamalov notifications@github.com wrote:
|
Thanks Tim! |
+1 I think that be a great potential fit to explore further. Vault already has support for etcd as a backing store and the encryption, audit logging, secrets rotation, etc. would be great enhancements to k8s existing capabilities. |
+1 for this. Vault has the ability to dynamically generate secrets against AWS, MySQL and other third parties which is a feature we are very interested in. |
@akamalov Just want to clarify that what you want is for Vault to be the backing storage for the Secret api resource. If so, that is definitely something that should be possible to do from a pluggability standpoint whether or not it is the default. As for vault specifically, it looks very interesting and like there would be some synergy with things we want to do with secrets. |
Vault API docs: https://github.com/hashicorp/vault/blob/master/api/SPEC.md One possible integration would be this:
Does this seem reasonable? |
Seems like a variation on the classic problem of: "how can I store content managed by the api-server in "? I think the spectre of this type of problem was first raised here: Unique spin in this case is it scoped to a single resource and not across the board. Do we really want to go down the path of making it a one-off replacement per resource type, or should we instead find a way to support pluggable api types, and treat our core objects as swappable first? I think that is a more preferred path to meeting the need, but its slightly more complicated than what @erictune denotes. In general, I imagine each of the alternative pet stores whether for all resources or just one of them would have their own unique configuration flags that would need to be made available to the api-server and things can easily get out of control with flag proliferation. |
I think there are two questions here. One is can we make this piece pluggable. But the other is "do we need to build our own version of infrastructure piece x"? E.g. we're not building our own load balancers. And perhaps it could be helpful not to have to invent yet one more secrets store and create our own encryption, audit logging, secrets rotation, etc. when a solution already exists that fits well with k8s (i.e. is written in Go, distributed, runs on etcd, etc.) |
@benmccann - well, a service is a load balancer for pods, but I understand your general point ;-) The point is closer to our need for DNS and usage of SkyDNS. At this time, I am +1 for requiring DNS in Kubernetes and integrating SkyDNS (versus making it an add-on). At this time, you cannot really use Kubernetes without Secrets, and I am not sure I want to require Vault to use Kubernetes yet. Others may disagree, and maybe the answer will become clearer when the requirements on Secrets grow over time. That said, I am +1 on someone trying to swap an implementation of one our API objects with another implementation as a learning exercise on the patterns required. My quick review of the Vault API appeared to show there was no equivalent of WATCH, but maybe I am missing something. |
A second approach is to change each component that reads or writes secrets so that it knows how to use either a "builtin secret" or a "Vault secret". The changes that I can think of are:
Certainly possible. Need to compare effort to do above to effort to add the most wanted features to builtin secrets. |
@pmorie Yes, indeed the ask (if possible) was to have Vault to be the backing storage for the Secret api resource. |
Based on how k8 api server configured, couldn't it proxy it through on On Thu, Jul 23, 2015 at 8:20 PM, Eric Tune notifications@github.com wrote:
|
@erictune FYI, I'm not sure that those API docs are up-to-date, but there is exhaustive documentation at https://vaultproject.io/docs/http/index.html (plus info on the various backends). I'm not a Hashi guy but I have done some contributing to Vault and may be able to answer some questions (or point you to the right Hashi people). I saw this ticket because someone mentioned it in #1957 (Support for Consul K/V storage). From that ticket it seems like work has gone into abstracting the storage backend, such that Consul (or ZooKeeper, or maybe eventually CockroachDB) could be swapped in for etcd. To that end, regarding the mentions of SkyDNS above, please take care to keep things abstract. Consul already does service discovery (both DNS-based and with an HTTP resource). It would be a shame to have someone put together an alternate backing K/V storage implementation but then still be required to run etcd because SkyDNS is now a requirement. |
Thanks for the docs pointer. I'll take a look at that. Regarding Consul and SkyDNS: in the project-supported Kubernetes distros, On Fri, Jul 24, 2015 at 8:27 AM, Jeff Mitchell notifications@github.com
|
@erictune Ah. This also suggests, however, that etcd is running in a single-instance mode, which means no HA or reliability. In that case, you'd maybe get more mileage from spending the effort on making SkyDNS use e.g. BoltDB...something designed more around a single-user paradigm. Edit: I realize you said "in its pod", so perhaps you are talking about a separate, fully multi-server HA etcd setup. Either way, I'd still prefer to re-use existing Consul rather than populate SkyDNS with services that Consul already knows about and is able to serve information for; not to mention the fact that Consul's secondary HTTP API provides a much richer set of information than the DNS API on either SkyDNS or Consul can provide. |
+1 for this. Given that secrets are currently stored unencrypted in etcd, I can't use kubernetes secrets for storing sensitive app information. I can role my own integration with Vault as a sidecar container, but it would be nice to leverage the built-in features that k8s offers, and have Vault be a swappable implementation detail. |
/subscribed. Really interested in this capability 👍 |
@derekwaynecarr There's currently no notion of "watching" a value in Vault. However, there are two ways to work around it:
I'm not sure that watches that run arbitrary commands or perform arbitrary functions are worth replicating in Vault's API, although I'm not closed to the idea, but if it's too simple it might not be useful...so the right balance would have to be figured out. In the mean time, I think this is actually a decent usage pattern, as you can then take advantage of any native watch functionality in your backing store, and simply convert the path to do the lookup against Vault.
|
@gurvindersingh you asked me about this issue at KubeCon |
The use case mentioned by @gurvindersingh was that companies have secrets that are stored in vault and they have some machines with kubernetes, and some that are non part of a kubernetes cluster. They do not want to store all secrets in kubernetes (reasonable), and they do not want to store secrets in two places (maybe reasonable). |
(Disclaimer: Just discovered Vault last week, but have now read all the docs and am thoroughly in favor of it.) Now that Vault exists, it seems reasonable to expect all open source systems that need to store secrets to move in a direction that would allow Vault to serve that function. One purpose per tool and best tool for the job, right? Just like:
And so on. (I have no opinion re priority of this feature relative to others. Just saying it's a logical goal.) |
Looks like that's just a design doc. I'm interpreting that as not being implemented yet. |
Google has released Google Cloud KMS on GCP, that would be an ideal place (for us) to store secrets, making them available for e.g. Ingress SSL certificates, secret volumes, environment variables, and so on. I assume such integration with kubernetes is not already available? |
@bbzg good for you :) |
@Bregor I've got love for everyone 🐶! But of course, I would be most happy if this feature was brought to GCP/Google Cloud KMS as soon as possible :) |
While I don't think k8s should be dependent on Vault, I do think it should create the types
Keys could then be referenced from a provider
Keys can then be linked to secrets:
A user would both need permissions to the secret and the key used to decrypt it. The |
@grillz I think this is a good proposal.. For an initial design I think your Regardless of the implementation of your suggestion, having this abstracted out into a manifest seems like the best option here. |
I don't think exposing keys via the API is a good place to start. Some of the biggest API-related issues with secrets today are:
A key resource would have the same issues. I think we should work on solving those issues for secrets first, then consider whether an API key resource makes sense as an additional layer. |
Our biggest problem with them right now is that they aren't encrypted.
Is more of a namespace issue in general, and I don't think its specifically secret related. Currently, we are segmenting "Apps" into namespaces to restrict access to the secrets, but even with that the secret that is stored simply isn't sufficiently encrypted and hence compliant. I see we have #12742, why not make that a pluggable key interface? I was just trying to solve the MVP of making secrets encrypted, but I agree that the issues you mentioned are also pressing. |
there are multiple levels:
|
Not if the key is referenced externally via a plugin. This would be similar to the Authorization plugin implementation where a webhook can simply be used to link out. We have clients that would prefer to use their own keys similar to how they prefer an external user management system. This would eliminate the need for low level encryption all together as the client is responsible for their keys and the data encrypted by them. |
The webhook client will need a certificate and key to identify itself to the webhook server so it can legitimately request a "decrypting key". If the intent is for the pods to decrypt their secrets themselves, and avoid handling by kubelet/APIServer/... then the webhook client's (cert, key) pair needs to be delivered to the pod. Does that not bring us back to @liggitt 's point about partitioned and secure delivery? |
A good survey of other secret solutions: |
This is an old thread but... Now that they are secrets are encrypted by default on k8s would it be best to just integrate with the vault open service broker so that it's easy to provide vault auth secrets to services running on k8s? See kubernetes-retired/service-catalog#1042 for basic info of how this works. |
@emaildanwilson Secrets roadmap has a plan to implement Vault support in 1.8 (next release). Not sure if it is actually planned to be released in 1.8, but Kubernetes core certainly won't add a dependency on Service Catalog |
@nilebox thank you for pointing that out! It seems like it will be a nice option. I agree that core shouldn't consider using the service catalog approach. This option is more targeted to cluster admins that want to integrate with their existing Vault setup and provide to their end users a declarative way to obtain Vault auth tokens. The end users (or services) could then use the credentials to read/write data directly to Vault. |
+1 for storing secrets in Vault. I'm in a very large enterprise (& legally regulated) environment. I don't want to store some secrets in K8s and some elsewhere and I want to be able to rotate secrets easily. I'd like for service accounts to be authenticated in the same way that user accounts are. |
Hey all, until this is added to Kubernetes I've created a sync as a stop-gap. https://github.com/sunshinekitty/vaultingkube |
There is now an integration with Vault that lets you authenticate to it with K8s service accounts. Particularly pay attention to the security model section, it does give Vault some power over your cluster: That's something we're intending to fix with this: |
@kksiram as the issue #49817 is now solved, does it mean we can now use Vault as a secret backend for Kubernetes ? |
@mfilotto I assume the feature will be alpha in 1.10, but please watch kubernetes/enhancements#460 and the release notes for 1.10 and subsequent releases. Closing this as a dupe of #49817 |
There's some confusion on this point, let me try and clear it up. #49817 is about storing the keys to encrypt secrets in vault. It isn't a general vault integration. The remaining Vault integration work I see in this space is:
I'll chat to our hashicorp contacts about this, 3 and 4 are just ideas at this point. This content will go into the updated version of "A Plan for Secrets" I want to get out in the next few weeks: Look for that in sig-auth by the end of Q1. |
Is it possible to get Kubernetes keep its Secrets in HashiCorp Vault ?
hashicorp/vault#377
Alex
The text was updated successfully, but these errors were encountered: