Rafael enjoys building cloud native software, products, and technology at SAP. He was one of the early adopters of Kubernetes Operators and Kubernetes extension concepts. At SAP, he maintains the core implementation of Project Gardener, SAP’s open source solution for automating the provisioning and lifecycle management of thousands of Kubernetes clusters. Prior to working on Kubernetes, Rafael was working on Cloud Foundry and evaluating other container orchestration tools.
Every single Kubernetes cluster brings a plethora of credentials: server certificates, client certificates, ServiceAccount tokens, static tokens, etcd encryption keys, etc. But how do you manage them in a secure way?
Security best practices suggest using short-lived credentials wherever possible and frequently rotating static credentials everywhere else. What does this look like in practice when managing an entire fleet of clusters?
This talk puts together the puzzle pieces and presents how one can leverage Kubernetes primitives to securely handle all involved credentials in practice. It summarizes learnings that both cluster administrators and application developers can adopt to provide minimal-ops and disruption-free credentials management in Kubernetes.