🛡️
CTHFM: Kubernetes
  • Welcome
  • Kubernetes Fundamentals
    • Kubernetes Components
      • Kubernetes Master Node
      • Worker Nodes
      • Pods
      • Service
      • ConfigMaps and Secrets
      • Namespaces
      • Deployments
      • ReplicaSets
      • Jobs and CronJobs
      • Horizontal Pod Autoscaler (HPA)
      • Kubernetes Ports and Protocols
    • Kubectl
      • Installation and Setup
      • Basic Kubectl
      • Working With Pods
      • Deployments and ReplicaSets
      • Services and Networking
      • ConfigMaps and Secrets
      • YAML Manifest Management
      • Debugging and Troubleshooting
      • Kubectl Scripting: Security
      • Customizing Kubectl
      • Security Best Practices
      • Common Issues
      • Reading YAML Files
    • MiniKube
      • Intro
      • Prerequisites
      • Installation MiniKube
      • Starting MiniKube
      • Deploy a Sample Application
      • Managing Kubernetes Resources
      • Configuring MiniKube
      • Persistent Storage in Minikube
      • Using Minikube for Local Development
      • Common Pitfalls
      • Best Practices
  • Kubernetes Logging
    • Kubernetes Logging Overview
    • Audit Logs
    • Node Logs
    • Pod Logs
    • Application Logs
    • Importance of Logging
    • Types of Logs
    • Collecting and Aggregating Logs
    • Monitoring and Alerting
    • Log Parsing and Enrichment
    • Security Considerations in Logging
    • Best Practices
    • Kubernetes Logging Architecture
  • Threat Hunting
    • Threat Hunting Introduction
    • What Makes Kubernetes Threat Hunting Unique
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • Threat Frameworks
      • MITRE Containers Matrix
        • MITRE Att&ck Concepts
        • MITRE Att&ck Data Sources
        • MITRE ATT&CK Mitigations
        • MITRE Att&ck Containers Matrix
      • Microsoft Threat for Kubernetes
    • Kubernetes Behavioral Analysis and Anomaly Detection
    • Threat Hunting Ideas
    • Threat Hunting Labs
  • Security Tools
    • Falco
      • Falco Overview
      • Falco's Architecture
      • Runtime Security Explained
      • Installation and Setup
      • Falco Rules
      • Tuning Falco Rules
      • Integrating Falco with Kubernetes
      • Detecting Common Threats with Falco
      • Integrating Falco with Other Security Tools
      • Automating Incident Response with Falco
      • Managing Falco Performance and Scalability
      • Updating and Maintaining Falco
      • Real-World Case Studies and Lessons Learned
      • Labs
        • Deploying Falco on a Kubernetes Cluster
        • Writing and Testing Custom Falco Rules
        • Integrating Falco with a SIEM System
        • Automating Responses to Falco Alerts
    • Open Policy Agent (OPA)
      • Introduction to Open Policy Agent (OPA)
      • Getting Started with OPA
      • Rego
      • Advanced Rego Concepts
      • Integrating OPA with Kubernetes
      • OPA Gatekeeper
      • Policy Enforcement in Microservices
      • OPA API Gateways
      • Introduction to CI/CD Pipelines and Policy Enforcement
      • External Data in OPA
      • Introduction to Decision Logging
      • OPA Performance Monitoring
      • OPA Implementation Best Practices
      • OPA Case Studies
      • OPA Ecosystem
    • Kube-Bench
    • Kube-Hunter
    • Trivy
    • Security Best Practices and Documentation
      • RBAC Good Practices
      • Official CVE Feed
      • Kubernetes Security Checklist
      • Securing a Cluster
      • OWASP
  • Open Source Tools
    • Cloud Native Computing Foundation (CNCF)
      • Security Projects
  • Infrastructure as Code
    • Kubernetes and Terraform
      • Key Focus Areas for Threat Hunters
      • Infastructure As Code: Kubernetes
      • Infrastructure as Code (IaC) Basics
      • Infastructure As Code Essential Commands
      • Terraform for Container Orchestration
      • Network and Load Balancing
      • Secrets Management
      • State Management
      • CI/CD
      • Security Considerations
      • Monitoring and Logging
      • Scaling and High Availability
      • Backup and Disaster Recovery
    • Helm
      • What is Helm?
      • Helm Architecture
      • Write Helm Charts
      • Using Helm Charts
      • Customizing Helm Charts
      • Customizing Helm Charts
      • Building Your Own Helm Chart
      • Advanced Helm Chart Customization
      • Helm Repositories
      • Helm Best Practices
      • Helmfile and Continuous Integration
      • Managing Secrets with Helm and Helm Secrets
      • Troubleshooting and Debugging Helm
      • Production Deployments
      • Helm Case Studies
Powered by GitBook
On this page
  • Overview
  • 1. Managing Secrets
  • 2. Config Maps and Environment Variables
  • Summary
  1. Infrastructure as Code
  2. Kubernetes and Terraform

Secrets Management

Overview

Secrets management and configuration are critical aspects of securely deploying and managing containerized applications, particularly in Kubernetes environments. Terraform can be used to automate and manage these configurations, ensuring that sensitive information is handled securely and that applications are configured correctly across different environments.

1. Managing Secrets

Secrets are pieces of sensitive information, such as API keys, database passwords, tokens, or encryption keys, that need to be securely managed and made available to your containers at runtime.

Key Concepts:

  • Kubernetes Secrets:

    • Purpose: Kubernetes Secrets are objects that store and manage sensitive data, such as credentials or tokens, that your containers need to access securely. These secrets can be injected into Pods as environment variables or mounted as files in a container's filesystem.

    • Terraform Implementation:

      • Use the kubernetes_secret resource in Terraform to create and manage secrets in your Kubernetes cluster. These secrets can be base64 encoded for storage, and you should ensure that they are encrypted at rest.

      resource "kubernetes_secret" "example" {
  metadata {
    name = "example-secret"
  }

  data = {
    username = "YWRtaW4="  # Base64 encoded
    password = "MWYyZDFlMmU2N7Rm"  # Base64 encoded
  }
}

      In this example, the kubernetes_secret resource creates a secret named example-secret with a base64-encoded username and password.

    • Using Secrets in Pods:

      • Secrets can be accessed by your containers either as environment variables or as files. When defining a Pod or Deployment in Terraform, you can specify that a container should use these secrets.

      resource "kubernetes_pod" "example" {
  metadata {
    name = "example-pod"
  }
  spec {
    container {
      name  = "example-container"
      image = "nginx"

      env {
        name  = "DB_USERNAME"
        value_from {
          secret_key_ref {
            name = "example-secret"
            key  = "username"
          }
        }
      }

      env {
        name  = "DB_PASSWORD"
        value_from {
          secret_key_ref {
            name = "example-secret"
            key  = "password"
          }
        }
      }
    }
  }
}

      In this example, the example-container uses the secret values for DB_USERNAME and DB_PASSWORD as environment variables.

  • HashiCorp Vault:

    • Purpose: HashiCorp Vault is a tool designed to securely store, manage, and control access to secrets and other sensitive data. Vault can be integrated with Terraform to dynamically generate and manage secrets, making it particularly useful for managing ephemeral or short-lived credentials.

    • Terraform Implementation:

      • Use the vault_generic_secret resource to interact with Vault secrets. This allows you to retrieve secrets from Vault and use them within your Terraform configurations.

      provider "vault" {
  address = "https://vault.example.com"
}

data "vault_generic_secret" "db_creds" {
  path = "database/creds/readonly"
}

resource "kubernetes_secret" "example" {
  metadata {
    name = "example-secret"
  }

  data = {
    username = base64encode(data.vault_generic_secret.db_creds.data["username"])
    password = base64encode(data.vault_generic_secret.db_creds.data["password"])
  }
}

      In this example, the vault_generic_secret data source retrieves credentials from Vault, which are then used to create a Kubernetes secret.

  • Cloud-Native Secret Management:

    • AWS Secrets Manager: AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources without the upfront complexity of managing your own hardware security module (HSM) or encryption keys. Terraform can be used to store, retrieve, and rotate secrets in AWS Secrets Manager.

      resource "aws_secretsmanager_secret" "example" {
  name        = "example"
  description = "An example secret"
}

resource "aws_secretsmanager_secret_version" "example" {
  secret_id     = aws_secretsmanager_secret.example.id
  secret_string = jsonencode({
    username = "example-user"
    password = "example-password"
  })
}

    • Azure Key Vault: Azure Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Terraform can manage Key Vault secrets and ensure they are securely retrieved by your applications.

      resource "azurerm_key_vault_secret" "example" {
  name         = "example-secret"
  value        = "example-value"
  key_vault_id = azurerm_key_vault.example.id
}

    • Google Secret Manager: Google Secret Manager allows you to store, manage, and access secrets as part of your Google Cloud project. Terraform can manage these secrets and integrate them with Kubernetes or other services.

      resource "google_secret_manager_secret" "example" {
  secret_id = "example-secret"
  replication {
    automatic = true
  }
}

resource "google_secret_manager_secret_version" "example" {
  secret      = google_secret_manager_secret.example.id
  secret_data = "example-data"
}

2. Config Maps and Environment Variables

ConfigMaps and environment variables are used to configure your containers, often with non-sensitive data such as configuration settings, URLs, or feature flags.

Key Concepts:

  • Kubernetes ConfigMaps:

    • Purpose: ConfigMaps allow you to decouple configuration data from your container images, making it easier to manage and update configurations without rebuilding or redeploying the containers. ConfigMaps can store key-value pairs or entire configuration files.

    • Terraform Implementation:

      • Use the kubernetes_config_map resource to create and manage ConfigMaps within your Kubernetes cluster.

      resource "kubernetes_config_map" "example" {
  metadata {
    name = "example-config"
  }

  data = {
    app.properties = "property1=value1\nproperty2=value2"
    log_level      = "INFO"
  }
}

      In this example, a ConfigMap named example-config is created with application properties and log level settings.

    • Using ConfigMaps in Pods:

      • Similar to secrets, ConfigMaps can be used in Pods as environment variables or mounted as files in a container's filesystem.

      hclCopy coderesource "kubernetes_pod" "example" {
  metadata {
    name = "example-pod"
  }
  spec {
    container {
      name  = "example-container"
      image = "nginx"

      env {
        name  = "LOG_LEVEL"
        value_from {
          config_map_key_ref {
            name = "example-config"
            key  = "log_level"
          }
        }
      }

      volume {
        name = "config-volume"
        config_map {
          name = "example-config"
        }
      }
      volume_mount {
        name       = "config-volume"
        mount_path = "/etc/config"
      }
    }
  }
}

      In this example, the example-container accesses the log_level from the ConfigMap as an environment variable and mounts the entire ConfigMap as a volume.

  • Environment Variables:

    • Purpose: Environment variables provide a simple way to inject configuration into your containers. They can be set directly in Terraform configurations, or derived from Secrets or ConfigMaps.

    • Terraform Implementation:

      • Environment variables can be specified directly in the kubernetes_pod or kubernetes_deployment resource.

      resource "kubernetes_deployment" "example" {
  metadata {
    name = "example-deployment"
  }
  spec {
    replicas = 2
    selector {
      match_labels = {
        app = "example-app"
      }
    }
    template {
      metadata {
        labels = {
          app = "example-app"
        }
      }
      spec {
        container {
          name  = "example-container"
          image = "nginx"
          env {
            name  = "ENV"
            value = "production"
          }
          env {
            name  = "API_URL"
            value = "https://api.example.com"
          }
        }
      }
    }
  }
}

      In this example, the example-container within the Deployment is configured with ENV and API_URL environment variables.

Summary

  • Secrets Management: Terraform allows you to securely manage and inject secrets into your containerized environments. Whether using Kubernetes Secrets, HashiCorp Vault, or cloud-native secret management services like AWS Secrets Manager, Azure Key Vault, or Google Secret Manager, Terraform provides the tools to automate and secure the handling of sensitive data.

  • ConfigMaps and Environment Variables: ConfigMaps are used to manage non-sensitive configuration data, which can be injected into containers as environment variables or mounted as files. Terraform makes it easy to create, manage, and use ConfigMaps and environment variables in Kubernetes, helping you keep your configuration data separate from your application code.

PreviousNetwork and Load BalancingNextState Management

Last updated 7 months ago