Hardware-based KMS Plug-in to Protect Secrets in Kubernetes - Raghu Yeluri & Haidong Xia, Intel
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Hardware-based KMS Plug-in to Protect Secrets in Kubernetes - Raghu Yeluri & Haidong Xia, Intel
Secrets are a key pillar of K8S security, and K8S 1.10+ enhanced the protection of secrets at-rest in the etcd, with support for an external KMS (via KMS plug-ins), and supporting envelope encryption. However, the secret encryption keys (DEKs/KEK) are in the clear in memory of the K8S Master in the KMS plug-ins (during execution). An attacker with privilege access to k8S master node/host, can read the keys from memory, access secrets, compromising data & k8s cluster. This session proposes a solution (with a quick demo) to add a new KMS plug-in that leverages hardware based TEE (Trusted execution environment – like Intel SGX) to ensure that the keys, and the encryption of the secrets, are protected by the CPU on the master, addressing the threat vector mentioned. It enumerates multiple options for the integration with KMS, articulating the the trade-offs of the approaches.
https://sched.co/UaZ2
Видео Hardware-based KMS Plug-in to Protect Secrets in Kubernetes - Raghu Yeluri & Haidong Xia, Intel канала CNCF [Cloud Native Computing Foundation]
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Hardware-based KMS Plug-in to Protect Secrets in Kubernetes - Raghu Yeluri & Haidong Xia, Intel
Secrets are a key pillar of K8S security, and K8S 1.10+ enhanced the protection of secrets at-rest in the etcd, with support for an external KMS (via KMS plug-ins), and supporting envelope encryption. However, the secret encryption keys (DEKs/KEK) are in the clear in memory of the K8S Master in the KMS plug-ins (during execution). An attacker with privilege access to k8S master node/host, can read the keys from memory, access secrets, compromising data & k8s cluster. This session proposes a solution (with a quick demo) to add a new KMS plug-in that leverages hardware based TEE (Trusted execution environment – like Intel SGX) to ensure that the keys, and the encryption of the secrets, are protected by the CPU on the master, addressing the threat vector mentioned. It enumerates multiple options for the integration with KMS, articulating the the trade-offs of the approaches.
https://sched.co/UaZ2
Видео Hardware-based KMS Plug-in to Protect Secrets in Kubernetes - Raghu Yeluri & Haidong Xia, Intel канала CNCF [Cloud Native Computing Foundation]
Показать
Комментарии отсутствуют
Информация о видео
23 ноября 2019 г. 1:41:58
00:38:10
Другие видео канала
![TiKV: A Cloud Native Key-Value Database - Dongxu Huang & Nick Cameron, PingCAP](https://i.ytimg.com/vi/1B4riWTTAZg/default.jpg)
![OpenTelemetry or eBPF? That is the Question - Omid Azizi, New Relic (Pixie)](https://i.ytimg.com/vi/0D4GTdv7QQA/default.jpg)
![Kubernetes Networking at Scale - Laurent Bernaille, Datadog & Bowei Du, Google](https://i.ytimg.com/vi/MvoImel5qfc/default.jpg)
![Cluster API Deep Dive - Katie Gamanji, American Express & Carlos Panato, Mattermost](https://i.ytimg.com/vi/npFO5Fixqcc/default.jpg)
![How to Be 10x SRE? A Deep Dive to Prometheus Operator - Jayapriya Pai & Haoyu Sun, Red Hat](https://i.ytimg.com/vi/Uph_Say4D3M/default.jpg)
![BuildKit CLI for kubectl: A New Way to Build Container Images - Daniel Hiltgen & Patrick Devine](https://i.ytimg.com/vi/vTh6jkW_xtI/default.jpg)
![Edge Computing using K3s on Raspberry Pi - Jeff Spahr, Lenovo](https://i.ytimg.com/vi/BgzQYlxYOmE/default.jpg)
![TikTok’s Story: How To Manage a Thousand Applications on Edge With Argo CD - Qingkun Li & Jesse Suen](https://i.ytimg.com/vi/Ftz5_lIepNA/default.jpg)
![Deploying VNFs with Kubernetes pods and VMs](https://i.ytimg.com/vi/gqlP9cpj0ak/default.jpg)
![Running distributed load tests with the Grafana k6-operator](https://i.ytimg.com/vi/OqeVrDnRFiU/default.jpg)
![Volcano – Cloud Native Batch System for AI, BigData and HPC - William (LeiBo) Wang](https://i.ytimg.com/vi/wjy35HfIP_k/default.jpg)
![Meshery - The Service Mesh Manager](https://i.ytimg.com/vi/mU8qHUGYsk8/default.jpg)
![Keynote: Cloud Native Superpowers with eBPF by Liz Rice](https://i.ytimg.com/vi/WLUUpvb2o4c/default.jpg)
![Keynote: Smooth Operator♪: Large Scale Automated Storage with... - Celina Ward & Matt Schallert](https://i.ytimg.com/vi/aDFm5KaTaOk/default.jpg)
![Kubernetes Configuration - Auditing for Enterprise Best Practices Through Open Source Tooling](https://i.ytimg.com/vi/alqCR9OsIJg/default.jpg)
![Open Policy Agent (OPA) Intro & Deep Dive - Anders Eknert, Styra & Will Beason, Google](https://i.ytimg.com/vi/MhyQxIp1H58/default.jpg)
![Deaf and Hard of Hearing WG Meeting - 2024-06-27](https://i.ytimg.com/vi/ux1x7MBdRTY/default.jpg)
![Seeing is Believing: Debugging with Ephemeral Containers - Aaron Alpar, Kasten](https://i.ytimg.com/vi/obasTgzhVR0/default.jpg)
![Serving Machine Learning Models at Scale Using KServe - Yuzhui Liu, Bloomberg](https://i.ytimg.com/vi/sE_A54T2n6k/default.jpg)
![Improving GPU Utilization using Kubernetes - Maulin Patel & Pradeep Venkatachalam, Google](https://i.ytimg.com/vi/X876kr-LkPA/default.jpg)
![Cloud Native Apps with Server-Side WebAssembly - Liam Randall, Cosmonic](https://i.ytimg.com/vi/2OTyBxPyW7Q/default.jpg)