Aktuelle Folge
Kubernetes base64 secrets are fine, with Mac Chaffee Länge: 29:29
By default, Kubernetes Secrets are not encrypted; values are merely base64 encoded.
And this is fine — at least, this is what Mac argues in this episode of KubeFM.
Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.
In this episode, you will learn:
How to define a threat model to inform your security posture and mitigations.
How Kubernetes Secrets offer sufficient guarantees for most common threat models.
If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).
Mac also covers tips and advice on becoming a security expert.
Find all the links and info for this episode here: https://kube.fm/kubernetes-secrets-mac
Links
Plain Kubernetes secrets are fine
FluxCD
kube-prometheus-stack
Prometheus Operator
Alert Manager
Prometheus
Grafana
Gatekeeper
Helm charts
Gatekeeper policy for privilege pods
Gatekeeper policy for Ingresses with wildcard hostnames
Argo CD
Kubernetes secrets
etcd
Base64
Threat model
Formal methods to threat modeling
Bitnami Sealed Secrets
Hashicrop Vault
Vault Shamir secret sharing
Vault auto-unsealing
HSM backed Vault
Vault HA configuration
"keep it secret, keep it safe." — Gandalf
SWOT analysis
Chaos Engineering by Kelly Shortridge
GUID: 150bcad4-b9a7-48fc-abb1-248d5d322064
Erscheinungsdatum: 28.11.2023, 11:00:00