Comments (9)
raoofm
commented on May 31, 2024
1
It is new to me as well, I'm fine to contribute to the design(sample?).
I suggested kms because of the below reasons
- The keys would be stored encrypted whereas kubernetes secrets are not (afaik).
- For use cases where kubernetes etcd backend is not backed up as they dont store any state of the apps and can immediately rebuild their infra using terraform.
- If the kubernetes secrets are deleted by mistake, or the namespace is deleted, then there is no way to recover the keys and vault cannot be unsealed.
from vault-operator.
thrawn997
commented on May 31, 2024
Wouldn't it be better to just store the unseal keys as a secret? Seems less cloud specific to do it that way.
from vault-operator.
philips
commented on May 31, 2024
I would like to have someone build a design doc on how we can do this based on kubelet identity and Kubernetes secrets instead of using kube2iam. This will ensure good security and generic application across cloud providers.
from vault-operator.
thrawn997
commented on May 31, 2024
I'd be new to doing that, but can learn if you can point me to the existing document (if one exists) for using kube2iam.
from vault-operator.
deedubs
commented on May 31, 2024
@philips do you have a rough outline the community could fill out?
Quickly thinking we could:
- kubelets generate PGP keys
a. store private key locally(?)
b. store public key as secret - vault operator divides key into N parts encrypts it with the kubelet private keys and writes them to secrets
- vault operator deploys new "unlocker" daemonset to kubelets
a. unlocker watches vault state, if its locked they...
b. decrypt their key and sends it to unlock - when a new node comes online we follow https://www.vaultproject.io/guides/operations/rekeying-and-rotating.html and rotate the stored keys
Please just consider this a conversation starter... 😃
from vault-operator.
thrawn997
commented on May 31, 2024
Assuming Vault is in an HA state, would it be possible to store as kubernetes secrets as long as you have secrets encrypted? Secrets can be encrypted with Vault now:
https://github.com/oracle/kubernetes-vault-kms-plugin/blob/master/README.md
from vault-operator.
deedubs
commented on May 31, 2024
That would make the initial bootstrapping step different from the 'normal case' which is dangerous in my experience.
from vault-operator.
thrawn997
commented on May 31, 2024
Wouldn't the bootstrap process stay the same? It would just reinforce that an org using a KMS should be encrypting their kubernetes secrets.
from vault-operator.
deedubs
commented on May 31, 2024
It would stay the same in that it would still be manual
from vault-operator.
Related Issues (20)
- Performance issues with vaults instances in standby
- Persistent Volume Claims option? HOT 2
- etcd-operator deploy fails: is forbidden: User "system:serviceaccount:default:default" cannot get pods in the namespace "default" HOT 1
- Ingress to access Vault HOT 1
- vault-operator erroneously "updates" (kills) active node if it can't be reached/is unhealthy
- Recommended way to monitor sealed/unsealed status? HOT 2
- etcd-operator fails with "a container name must be specified for pod etcd-operator-764f7ff957-w7shx, choose one of: [etcd-operator etcd-backup-operator etcd-restore-operator]" HOT 1
- Can someone show an example of how to use curl/HTTP API?
- no-op after creation of the CRD on openshift 3.10
- Namespace vault-operator error HOT 2
- etcd Cluster fails to start HOT 1
- Support Vault 0.11 and greater HOT 4
- Allow nodeSelector and tolerations to be specified for vault pods
- vaultservices.vault.security.coreos.com Image HOT 1
- support dev server mode vaults
- Unable to Log in to the Kubernetes auth backend using the service account token HOT 3
- Unable to configure the custom repository for operator to pull images ( busybox, etcd, vault, statsd-exporter )
- Error initializing storage of type etcd: failed to get etcd API version: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 10.101.6.170:2379: getsockopt: connection refused HOT 5
- deploying vault using vault-operator HOT 3
- Operator projects using the removed APIs in k8s 1.22 requires changes. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-operator.