04-17, 10:10–10:40 (Europe/Amsterdam), The Warehouse
Every single Kubernetes cluster brings a plethora of credentials: server certificates, client certificates, ServiceAccount tokens, static tokens, etcd encryption keys, etc. But how do you manage them in a secure way?
Security best practices suggest using short-lived credentials wherever possible and frequently rotating static credentials everywhere else. What does this look like in practice when managing an entire fleet of clusters?
This talk puts together the puzzle pieces and presents how one can leverage Kubernetes primitives to securely handle all involved credentials in practice. It summarizes learnings that both cluster administrators and application developers can adopt to provide minimal-ops and disruption-free credentials management in Kubernetes.
Given the many distributed components inside a Kubernetes cluster that are connecting to each other, hardening and securing their communication is not as straightforward as one might hope. As a consequence, not every software in the Kubernetes ecosystem is following the best practices for managing credentials.
This talk shall inspire the audience on how such best practices (short-lived credentials, auto-rotation) can be implemented to improve the overall security of the ecosystem.
Apart from demystifying credentials management and rotation procedures in general, the listeners get insights into the Kubernetes community's transition from static ServiceAccount token secrets to projected tokens (along with interesting pitfalls).
Tim loves designing, developing, and operating cloud native systems at STACKIT. He is knee-deep in managing infrastructure and Kubernetes clusters themselves using Kubernetes operators. Tim is a core developer and maintainer of Gardener, an open source project for managing Kubernetes clusters at scale. Before joining the STACKIT Kubernetes Engine team, he was part of the Gardener team at SAP. Besides work, he is pursuing a master's degree in computer science.
Rafael enjoys building cloud native software, products, and technology at SAP. He was one of the early adopters of Kubernetes Operators and Kubernetes extension concepts. At SAP, he maintains the core implementation of Project Gardener, SAP’s open source solution for automating the provisioning and lifecycle management of thousands of Kubernetes clusters. Prior to working on Kubernetes, Rafael was working on Cloud Foundry and evaluating other container orchestration tools.