CommunityDevOps ExchangePartners
Articles
5/21/2021
10 minutes

4 Kubernetes Secrets Management Best Practices

Written by
Copado Team
Table of contents

Originally published by New Context.
 

Most people can probably remember being reproved for whispering as a child. The reason given for this sometimes-embarrassing admonishment ranged from the whispering being considered offensive to it excluding others who were being left out of the conversation. While these are important lessons in a child’s life, when it comes to data security, almost everyone agrees that keeping sensitive information secret far outweighs any offense an excluded party may experience.

In today’s highly competitive software development and operations (DevOps) landscape, security should be a driving factor and not functionally or strategically separate. This issue is particularly important when a tool such as Kubernetes is utilized. Kubernetes does come with inherent security capabilities; however, the best security may also be achieved by integrating Kubernetes secrets management with a third-party tool.

Kubernetes Secrets?

For enterprises, sensitive information can be difficult to broadly define. For some industries, such as banking or healthcare, virtually all transactions or data exchanges may involve privileged information that could be used to identify users or patients. For other companies, the restrictions may not need to be as extensive.

Regardless of industry, however, any credentials that are used to allow specific access are indeed sensitive and therefore require security restrictions. These secrets include passwords, security keys, digital certificates, tokens, and other user authentication identifiers that must remain unknown to everyone except a finite number of authorized persons or services.

Kubernetes is an open-source workload orchestration and runtime platform that inherently provides many infrastructure components and deployment conventions, including secrets management. The included secrets management capability allows application-specific secrets to be configured in addition to those that are automatically created for service accounts. Moreover, it is not necessary to have access to specific application code to utilize secrets as they can be attached to an application workload via native Kubernetes functions (i.e., API call).

Although Kubernetes Secrets is an option to be considered for handling sensitive information in production environments, there are potential trade-offs that require attention. For example, the default state of secrets being unencrypted at rest (within etcd) could potentially expose them via unchecked generic administrator access. These deficiencies (if not properly compensated for) could lead to not only compromised security credentials, but also costly breaches of corporate data and personally identifiable information (PII), or possibly even the stability of system operations. In light of these challenges, let’s take a look at what best practices to apply when working with Kubernetes.

4 Kubernetes Secrets Management Best Practices - Copado

Secrets Management when Using Kubernetes

To effectively protect your organization’s operations requires the incorporation of security throughout the development process. An essential aspect of this strategy is securing the identity and access credentials utilized for your applications. There are many threats to these identity credentials. For example, certificates can expire, keys can be lost, and passwords can be hacked. By following the suggested practices below, you can make the best use of Kubernetes, while providing access to secrets when needed and restricting unauthorized usage, thus minimizing or completely avoiding obstacles to smooth and secure cloud data management.

1. Pod Creation Best Practices

During development, it’s not uncommon for developers to own functionality beyond application features and therefore create code for credential utilization within their application. However, this enablement, left unchecked, could introduce poor credential handling practices, such as deploying from and/or checking in deployment manifests that directly contain raw Secret objects. To alleviate these risks, consider implementing a separate security workflow to handle secrets configuration as distinct from application configuration, and then leverage a reference pattern (corresponding secret by name, id, or other object) within the application manifest. This enables more stringent control over how and when actual sensitive secrets data is managed.

2. Configuration Best Practices

Almost all data within the Kubernetes API is stored within the distributed data store, etc, which includes Secrets. Ensuring that the Kubernetes cluster configuration is set to encrypt all data at rest (within etcd) is critical to reducing the risk of broad compromise. Leveraging the cluster-level EncryptionConfiguration object enables this encryption at rest and reduces the number of keys that need to be properly managed to a mere handful. Ideally, managing these cluster keys with an external provider (such as a cloud provider’s KMS service) is the best route as it moves the “first key problem” outside of Kubernetes itself.

3. Networking Best Practices

Applying the least-privilege concept to network traffic can provide extra assurances that sensitive Kubernetes cluster components (such as the API server and etcd) are only accessible from the services that need direct access. Consider locking down service-to-service traffic to only the required ports and sources via your cloud provider’s traffic filtering mechanisms (e.g., AWS Security Groups). Also, taking this a step beyond cluster component traffic, restricting traffic between application components should also be considered and could be achieved by leveraging a NetworkPolicy tool (e.g., Calico).

4. Security Best Practices

By default, Kubernetes administrators can access all Secrets stored within the cluster. Infrastructure/cloud administrators can potentially access the node’s storage and/or backups, which may contain unencrypted data (unless the steps in #2 were taken to encrypt data at rest). Therefore, restricting these privileges is critical to avoid unintended access of secrets. Leveraging both Kubernetes RBAC and your cloud provider’s RBAC (if applicable) is crucial to maintaining proper access for different staff, as well as audit and logging capabilities for incidents where a trusted insider may be involved.

Following these best practices will result in more robust Kubernetes security management. However, replacing or supplementing the above patterns with a third-party tool for secrets management may be the best fit for your organization.

Alternative Kubernetes Secrets Practices

The security issues inherent with Kubernetes secrets management has led to the development of alternative approaches that allow for more flexible and robust security. One of these is Sealed Secrets, which is an open-source Kubernetes controller that enables Secrets data to be safely stored in git and can be customized to address specific access issues. Another option is to use the popular HashiCorp Vault tool. Vault is a well-tested and dependable option that includes dynamic secrets generation, replication across region, cloud, and datacenter, and can be used with various authentication methods.

Applying Kubernetes Secrets Management Best Practices

As outlined above, Kubernetes secrets are potentially accessible by unauthorized users, especially if the precautions listed above are not followed. Therefore, the best practice may be to opt for a less complex, more powerful alternative as discussed above. In either case, the best implementation option is to enlist an experienced DevSecOps partner who is fully committed to providing you with the most secure environment.
 

 

Book a demo

About The Author

#1 DevOps Platform for Salesforce

We Build Unstoppable Teams By Equipping DevOps Professionals With The Platform, Tools And Training They Need To Make Release Days Obsolete. Work Smarter, Not Longer.

How to Sync Salesforce Environments with Back Promotions
Copado and Wipro Team Up to Transform Salesforce DevOps
DevOps Needs for Operations in China: Salesforce on Alibaba Cloud
What is Salesforce Deployment Automation? How to Use Salesforce Automation Tools
Maximizing Copado's Cooperation with Essential Salesforce Instruments
Future Trends in Salesforce DevOps: What Architects Need to Know
From Chaos to Clarity: Managing Salesforce Environment Merges and Consolidations
Enhancing Customer Service with CopadoGPT Technology
What is Efficient Low Code Deployment?
Copado Launches Test Copilot to Deliver AI-powered Rapid Test Creation
Cloud-Native Testing Automation: A Comprehensive Guide
A Guide to Effective Change Management in Salesforce for DevOps Teams
Building a Scalable Governance Framework for Sustainable Value
Copado Launches Copado Explorer to Simplify and Streamline Testing on Salesforce
Exploring Top Cloud Automation Testing Tools
Master Salesforce DevOps with Copado Robotic Testing
Exploratory Testing vs. Automated Testing: Finding the Right Balance
A Guide to Salesforce Source Control
A Guide to DevOps Branching Strategies
Family Time vs. Mobile App Release Days: Can Test Automation Help Us Have Both?
How to Resolve Salesforce Merge Conflicts: A Guide
Copado Expands Beta Access to CopadoGPT for All Customers, Revolutionizing SaaS DevOps with AI
Is Mobile Test Automation Unnecessarily Hard? A Guide to Simplify Mobile Test Automation
From Silos to Streamlined Development: Tarun’s Tale of DevOps Success
Simplified Scaling: 10 Ways to Grow Your Salesforce Development Practice
What is Salesforce Incident Management?
What Is Automated Salesforce Testing? Choosing the Right Automation Tool for Salesforce
Copado Appoints Seasoned Sales Executive Bob Grewal to Chief Revenue Officer
Business Benefits of DevOps: A Guide
Copado Brings Generative AI to Its DevOps Platform to Improve Software Development for Enterprise SaaS
Celebrating 10 Years of Copado: A Decade of DevOps Evolution and Growth
Copado Celebrates 10 Years of DevOps for Enterprise SaaS Solutions
5 Reasons Why Copado = Less Divorces for Developers
What is DevOps? Build a Successful DevOps Ecosystem with Copado’s Best Practices
Scaling App Development While Meeting Security Standards
5 Data Deploy Features You Don’t Want to Miss
Top 5 Reasons I Choose Copado for Salesforce Development
How to Elevate Customer Experiences with Automated Testing
Getting Started With Value Stream Maps
Copado and nCino Partner to Provide Proven DevOps Tools for Financial Institutions
Unlocking Success with Copado: Mission-Critical Tools for Developers
How Automated Testing Enables DevOps Efficiency
How to Keep Salesforce Sandboxes in Sync
How to Switch from Manual to Automated Testing with Robotic Testing
Best Practices to Prevent Merge Conflicts with Copado 1 Platform
Software Bugs: The Three Causes of Programming Errors
How Does Copado Solve Release Readiness Roadblocks?
Why I Choose Copado Robotic Testing for my Test Automation
How to schedule a Function and Job Template in DevOps: A Step-by-Step Guide
Delivering Quality nCino Experiences with Automated Deployments and Testing
Best Practices Matter for Accelerated Salesforce Release Management
Maximize Your Code Quality, Security and performance with Copado Salesforce Code Analyzer
Upgrade Your Test Automation Game: The Benefits of Switching from Selenium to a More Advanced Platform
Three Takeaways From Copa Community Day
Cloud Native Applications: 5 Characteristics to Look for in the Right Tools
Using Salesforce nCino Architecture for Best Testing Results
How To Develop A Salesforce Testing Strategy For Your Enterprise
What Is Multi Cloud: Key Use Cases and Benefits for Enterprise Settings
5 Steps to Building a Salesforce Center of Excellence for Government Agencies
Salesforce UI testing: Benefits to Staying on Top of Updates
Benefits of UI Test Automation and Why You Should Care
Types of Salesforce Testing and When To Use Them
Copado + DataColada: Enabling CI/CD for Developers Across APAC
What is Salesforce API Testing and It Why Should Be Automated
Machine Learning Models: Adapting Data Patterns With Copado For AI Test Automation
Automated Testing Benefits: The Case For As Little Manual Testing As Possible
Beyond Selenium: Low Code Testing To Maximize Speed and Quality
UI Testing Best Practices: From Implementation to Automation
How Agile Test Automation Helps You Develop Better and Faster
Salesforce Test Cases: Knowing When to Test
DevOps Quality Assurance: Major Pitfalls and Challenges
11 Characteristics of Advanced Persistent Threats (APTs) That Set Them Apart
7 Key Compliance Regulations Relating to Data Storage
7 Ways Digital Transformation Consulting Revolutionizes Your Business
6 Top Cloud Security Trends
API Management Best Practices
Applying a Zero Trust Infrastructure in Kubernetes
Building a Data Pipeline Architecture Based on Best Practices Brings the Biggest Rewards
CI/CD Methodology vs. CI/CD Mentality: How to Meet Your Workflow Goals
DevOps to DevSecOps: How to Build Security into the Development Lifecycle
DevSecOps vs Agile: It’s Not Either/Or
How to Create a Digital Transformation Roadmap to Success
Infrastructure As Code: Overcome the Barriers to Effective Network Automation
Leveraging Compliance Automation Tools to Mitigate Risk
Moving Forward with These CI/CD Best Practices