Take me to the slides!
This is a talk by @rfranzke and @timebertt at Cloud Native Rejekts 2023 in Amsterdam (event schedule).
Every single Kubernetes cluster brings a plethora of credentials: server certificates, client certificates, ServiceAccount tokens, static tokens, etcd encryption keys, etc. But how do you manage them in a secure way? Security best practices suggest using short-lived credentials wherever possible and frequently rotating static credentials everywhere else. What does this look like in practice when managing an entire fleet of clusters? This talk puts together the puzzle pieces and presents how one can leverage Kubernetes primitives to securely handle all involved credentials in practice. It summarizes learnings that both cluster administrators and application developers can adopt to provide minimal-ops and disruption-free credentials management in Kubernetes.
Given the many distributed components inside a Kubernetes cluster that are connecting to each other, hardening and securing their communication is not as straightforward as one might hope. As a consequence, not every software in the Kubernetes ecosystem is following the best practices for managing credentials. This talk shall inspire the audience on how such best practices (short-lived credentials, auto-rotation) can be implemented to improve the overall security of the ecosystem. Apart from demystifying credentials management and rotation procedures in general, the listeners get insights into the Kubernetes community's transition from static ServiceAccount token secrets to projected tokens (along with interesting pitfalls).
Slides are built in Markdown using reveal.js, packaged with webpack, and deployed with netlify.
Install a recent node version. Preferably, the one specified in .node-version.
brew install nodePerform a production build and serve the slides from the dist folder:
NODE_ENV=production npm run build
npm run serveImportant: Set NODE_ENV=production to yield the same build outputs as in production deploys to netlify.
If you don't set it, the QR will link to a local IP instead of the canonical URL, for example.
Run a dev server with hot-reload and open the slides in the browser:
npm startAlternatively, use the preconfigured start run configuration for JetBrains IDEs.
Now, start editing the content files. When saving, slides are automatically rebuilt and refreshed in the browser.
Note, that
npm startdoesn't write the output todist.
Run a full build and write output files to dist:
npm run buildNow, output files can be inspected in the dist folder.
Also, the slides can be served locally from the dist folder (no hot-reload):
npm run serveUsing the above will output non-minimized files.
Set NODE_ENV=production to enable minimization as it is done in netflify builds:
NODE_ENV=production npm run buildNetlify builds and publishes new commits to the master branch on https://talk-credentials-rotation.netlify.app/.
https://github.com/timebertt/talks contains a netlify proxy configuration to make the slides available at https://talks.timebertt.dev/credentials-rotation/.
The netlify site is configured to publish deploy previews for pull requests to the master branch and for pushes to arbitrary other branches.