CloudDevelopersDevOpsFeaturedLet's TalkOpen Source

Encrypt Kubernetes Secret With Ondat Trousseau

0

Guest: Nic Vermande (LinkedIn, Twitter)
Company: Ondat (LinkedIn, Twitter)
Keywords: Kubernetes Secret, Hybrid Cloud
Show: Let’s Talk

Summary: Ondat is a Kubernetes-native platform for running stateful applications, anywhere, at scale. The company recently announced Trousseau, an open source project for the encryption of resources and in particular, the encryption of Kubernetes Secret. We sat down with Nic Vermande, Principal Developer Advocate at Ondat to learn more about the project.

“It may be weird but secrets in Kubernetes are not really secrets and you need to add a layer of encryption on top of that. Now, the challenge is that the management and the externalization of the management of those resource encryption as well as the different keys, are difficult to do in Kubernetes. There’s no standard way to do it, so kubernetes provide high vendor rules to do that. But it’s really up to the vendor to figure out how they want to integrate with Kubernetes. So essentially, Trousseau is acting as a middle man, a KMS Kubernetes Plugin that streamlines the integration of all the backend encryption in KMS providers, such as HashiCorp Vault and other KMS in general,” said Vermande.

Highlights of this show:

  • Ondat announced Trousseau, an open source project for the encryption of resources and in particular, the encryption of Kubernetes Secret. Vermande explains what it is and how does it work?
  • What’s the need for this project now?
  • How different is Trousseau from other projects that try to do the same thing?

About Nic Vermande: Nicolas is an experienced hands-on technologist, evangelist and product owner who has been working in the fields of Cloud-Native technologies, Open Source Software, Virtualization and Datacenter networking for the past 17 years.

About Ondat: Ondat is the Kubernetes-native platform for running stateful applications, anywhere, at scale. Ondat delivers persistent storage directly onto any Kubernetes cluster for running business-critical, stateful applications safely across any public, private and hybrid clouds. For development, DevOps professionals and technology executives, it provides an agnostic platform to run any data service anywhere while ensuring industry-leading levels of application performance, high availability and security.


Here is the full unedited transcript of the show:

  • Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to TFiR Let’s Talk. Today we have with us Nic Vermande, Principal Developer Advocate at Ondat. Nic it’s great to have you on the show.

Nic Vermande: Yeah, thank You. I’m really happy to be there. Really thrilled. Thank you for having me.

  • Swapnil Bhartiya: We have hosted Ondat before but it’s been, I think almost a year now, not a year but it’s 2022. So please quickly remind our viewers what is Ondat all about?

Nic Vermande: Ondat is a software solution that provides distributed data services for stateful application running in Kubernetes. So I would say that our mission is to reduce the friction for developers when they are adopting Kubernetes as their platform of choice to run those stateful application, which are the traditional mission critical application.

  • Swapnil Bhartiya: Ondat recently announced Trousseau if I pronounce it correctly. Please tell us, what it is and what does it do?

Nic Vermande: So Trousseau is an open-source project we have initiated to solve a very particular problem within Kubernetes which is the encryption of resources and in particular, the encryption of Kubernetes Secrets. I mean that may be weird but secrets in Kubernetes they are not really secrets and you need to add a layer of encryption on top of that. Now, the challenge is that the management and the externalization of the management of those resource encryption as well as the different keys, are difficult to do in Kubernetes. There’s no standard way to do it, so kubernetes provide high vendor rules to do that. But it’s really up to the vendor to figure out how they want to integrate with Kubernetes. So essentially, I mean in nutshell TruSo is acting as a middle man. And it’s a KMS Kubernetes Plugin that streamlines the integration of all the backend encryption in KMS provider, such as HashiCorp Vault and just other KMS in general.

  • Swapnil Bhartiya: Can you also talk a bit about when you’re talking about secrets and encryption, what is the need for that, and when we talk about them are we talking about the security space or, I just want to basically understand the problem area.

Nic Vermande: Yeah, exactly. This is exactly about securing the Kubernetes cluster and with Kubernetes adoption, we see that more and more customer are also adopting Kubernetes for more mission critical stateful applications such as your databases, message queuing, all of that. I mean all the data becomes super sensitive and anyone with access to the cluster potentially can see all the passwords, all sensitive information that is used for databases, including Kubernetes Secrets because secrets in Kubernetes they are just encoded in Base64. They are not encrypted which mean that anyone with just information can see all the secrets that are stored in your single etcd database inside Kubernetes.

So the idea is to encrypt those secrets, actually Kubernetes allows you to encrypt any sort of resources it handles but probably secret is the most important ones. So that’s, you can not only encrypt data using secrets, but those secrets then you need to put them in a safe place ideally outside of Kubernetes, and this is what TruSo allows. So you have a separation of duty. You have your encrypted data within Kubernetes but you manage the key to encrypt and decrypt all this information outside of the cluster.

  • Swapnil Bhartiya: Last year, NSA came out with the Kubernetes Hardening Guidance as well. Did they also kind of cover Kubernetes Secrets to protect APIs or that was outside the scope? And if they did… Yeap. And if they did there was meant for federal public use case, but how does this also help every Kubernetes consumer out there?

Nic Vermande: Yeah. Top of my head, I think they mentioned it. Last time I read it was like a long time ago when I was preparing specific specification for security around Kubernetes. But yeah, definitely those are the guidelines to hold a new cluster. And top of mind even before starting to think about running your application in Kubernetes, secrets are really key to everything. Because as a native resource it is used for pretty much everything. Every single application will have to store some secret think about just AWS, maybe you will do some automation and you will need to store your AWS credential in your secrets.

Now, if those secrets are not encrypted well that’s basically a backdoor to the entire cluster and to the entire cloud, which is not excellent to the cluster. So that’s really a key dimension because the footprint in the scope is not only Kubernetes, but also what you store in Kubernetes and what potentially you give people access outside of the cluster, like the cloud providers for example. So I think for users of course you have to pay attention to what NIST has released and fundamentally maybe not everything would be applicable to you. So you have to pick the quick wins, the battles that you can fight easily and secrets is definitely one of them.

  • Swapnil Bhartiya: There has been other efforts also in this direction, Trousseau is not the first one. So can you also talk about, of course depending on how we look at some products I mean, there are always users their products are successful, some are not that successful. What sets TruSo apart from them, and also why you folk chose open-source way for that?

Nic Vermande: Yeah, sure. So, I mean the first part what makes Trousseau different is that as opposed to any vendor solution that implements its own kind of way of integrating with the KMS provider, TruSo is there as a man in the middle and allows you to use I would say native commands. So you continue to manage everything through a COPCTL and just native paradigms. And ultimately the backend provider, like the vendor who provide the security features doesn’t even know it’s running on… That is going to be working with keys and encryption for Kubernetes. So the main difference is that instead of having every vendor that does its own thing, uses its own patterns, has its own roadmap, TruSo is the man in the middle that allows you to keep things native to Kubernetes while at the same time abstracting the backend KMS provider. So essentially we want to facilitate the integration of all these vendors with Kubernetes, so that it becomes easier for developers to consume them by staying in this Kubernetes format.

And now the second part, which was why open-source? Again, it’s completely a consequence of that is we want not also we have the first release which comes with a HashCorp vote. So HashCorp is our first partner to contribute to that. But of course the idea is to have more later, whether it’s Cloud KMS or other vendors and the only way to make this possible I would say outside of all the business interest is by creating some sort of open-source projects so everyone can contribute at the same level and with having in mind the interest of the end user.

  • Swapnil Bhartiya: Overall beauty of open-source is that, of course not only you get users because of the model of open-source they can use it. You also build a committee on it so you not only get feedback, but you also get code contribution there as well. Can you also talk about the challenge with open-source because you actually do not know who is using it, right? Because anybody can get the code from GitHub or GitLab wherever you afford to bring the code. So I want to also understand if you can share, of course you mentioned HashCorp if you can share who is using it and what kind of feedback response you have received so far which will also kind of influence the direction going forward or the roadmap.

Nic Vermande: Actually, we developed this idea of the open-source project together with a customer which is Sunny Vision. And so he was the first to provide feedback for the open-source project. So I would say so far so good. And hopefully it’s the first in a long list. And I would say it doesn’t really matter who can contribute. We have like a framework how you should contribute, how we can do pre-requests and just respect the guidelines. And we welcome really everyone. There’s nothing really I would say secret about the project itself. It’s just putting the glue together to facilitate the integration of those critical things for our customer.

And as I was saying before, we expect more and more adoption of TruSo because as customer are moving towards this journey of running business and more legacy application, they are transforming into modern application into Kubernetes, they will hit all those challenges. And hopefully if they have feedback, if they want to have more integration with new providers that we didn’t think about then we are happy to receive any comment, any feedback. And as I said, we started the roadmap with HashCorp and now we will have more providers coming soon.

  • Swapnil Bhartiya: Another beauty of open-source is that, sometimes there are use cases the folks, they want to solve a problem. And sometimes they take an initiative. So what is the governance of the project? Let’s say X, Y, Z, who wants to use it, do they have to rely on you? Or they can just go and do it themselves and then you can help them if they want to?

Nic Vermande: Yeah. So I mean the guideline, the framework is pretty open, the governance is pretty open, so typically what’s going to happen if someone wants to contribute just do traditionally as always pre-request. And of course we will examine if it’s okay, we’ll go through the pipeline to see if there is any bugs. And if it’s fits within the vision, that of course it has to fit within the vision, that’s the main thing. But this is an open place. And if they are any concern we’ll discuss them with people who want to contribute. But of course we want to stay open as possible. So nothing really special, pre-request engineering conversation. And then as more people contribute, then it’s just a voting system this like democracy type of thing.

  • Swapnil Bhartiya: Nic, thank you so much for taking time off today and of course talk about this project and also share the roadmap, the governance. And I would love to have you back on the show as you, so thanks for your time today.

Nic Vermande: No, my pleasure, would be happy to come back. No problem.

Don't miss out great stories, subscribe to our newsletter.

Dynatrace Updates Its Application Security Module

Previous article

Tigera Adds Active Cloud-Native Application Security To Calico Cloud

Next article
Login/Sign up