Alex Soto - Securing Secrets in the GitOps era

Learn how to secure your secrets in the GitOps era, covering topics such as Kubernetes secret management, Vault, rotation of secrets, and more.

Key takeaways
  • Secrets management is crucial in GitOps. In the GitOps era, everything is in Git, but secrets are not.
  • Kubernetes secrets are not really secret. If an attacker gains access to the pod, they can get the secrets. Secrets are stored in etcd and are not encrypted by default.
  • GitOps requires secure secrets management. GitOps requires a good strategy for storing and managing secrets in Git, but also in the cluster, and then in the secret management system.
  • Bolt is not enough. Bolt is a good option, but it’s not enough. It provides a good security layer, but secrets are still in memory.
  • Vault is a good option. Vault is a good option for secret management. It provides a secure way to store and manage secrets, and it’s open source.
  • Rotation of secrets and keys is crucial. Rotation of secrets and keys is crucial to ensure the security of the application.
  • GitOps and secrets management require layers. GitOps and secrets management require multiple layers of security to ensure the security of the application.
  • Sealed secrets can be used. Sealed secrets can be used to encrypt secrets in Git.
  • KMS plugin is required. KMS plugin is required to ensure the security of the secrets in the cluster.
  • Dynamic secrets can be used. Dynamic secrets can be used to generate secrets for the application.
  • HashiCorp Vault is a good option. HashiCorp Vault is a good option for secret management. It provides a secure way to store and manage secrets, and it’s open source.
  • Kubernetes secrets can be encrypted. Kubernetes secrets can be encrypted to ensure the security of the application.
  • GitOps requires configuration management. GitOps requires configuration management to ensure the security of the application.
  • Secrets should be stored in a secret management system. Secrets should be stored in a secret management system to ensure the security of the application.

More talks

SAINTCON 2023 - Roberto Mello - Alice, this is Bob

Building Powerful APIs with Django, Django Rest Framework, and OpenAPI with Velda Kiara

Securing Microservices with Auth0 and MicroProfile in Kubernetes without a hassle | Ondro Mihalyi

"KalDB: A cloud native log search platform" by Suman Karumuri (Strange Loop 2022)

Roc Alayo Arnabat & Sergi Rosell Ferrer - GitOps in Modern Security-Compliant Environments

What your server looks like on the cloud

SAINTCON 2023 - Sherri Davidoff & Matt Durrin - Ransomware: New Trends & Prevention Strategies

Theodore Meynard - MLflow workshop | PyData London 2023