#security (2018-12)

Archive: https://archive.sweetops.com/security/

2018-12-27

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Using Cloudflare Workers to identify pwned passwords attachment image

Last week Troy Hunt launched his Pwned Password v2 service which has an API handled and cached by Cloudflare using a clever anonymity scheme. The following simple code can check if a password exists in Troy’s database without sending the password to Troy.

2018-12-26

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And then using this pattern with Kubernetes https://www.bitservices.io/blog/confd-kubernetes/

confd With Kubernetes

Using confd to Inject Secrets into Kubernetes Pods Whilst using Kubernetes over the past few months, one challenge I repeatedly faced was to get secrets - such as passwords, SSH keys or certificate keys - securely into applications running on Kubernetes. Whilst this is quite easy if the container image is under your full control, to achieve this with an ‘off the shelf’ image is a little more tricky.

mrwacky avatar
mrwacky

Are k8s secrets still unencrypted in etcd?

mrwacky avatar
mrwacky

and not at all secret?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

they are encrypted at rest in etcd

mrwacky avatar
mrwacky

that seems new since I last looked (1+ year ago)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

though I guess it depends on your k8s implementation

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/geodesic

Geodesic is the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. https://slack.cloudposse.com/ - cloudposse/geodesic

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

here’s the setup in kops manifest

thumbsup_all1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’m not comfortable with secrets at present because they are in the clear. I attended a kubecon session on security, they talked about the encryption providers: https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

2018-12-21

2018-12-20

sarkis avatar
sarkis

yea, great timing…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
mrwacky avatar
mrwacky

I think I might prefer a git credential helper instead

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

haha, yea, in the end I’ll be using my OSX keychain instead

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

here’s where I see this as interesting: EC2 Instance “master keys”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

while these should not be used for regular maintence

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

they can be good as a last resort

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this lets you store them in a centralized place and use IAM to control who has access to them.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

while also leveraging them from the command line to connect

mrwacky avatar
mrwacky

we have our vault unseal token in SSM

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

exactly - like that

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

are you using vault enterprise or the community edition?

mrwacky avatar
mrwacky

community

mrwacky avatar
mrwacky

my understanding is they’ve added auto-unseal to enterprise

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

…the other way aaround

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

auto-unseal is now available in CE using KMS

mrwacky avatar
mrwacky

that’s what I meant

sarkis avatar
sarkis

Whoa this is really nice for the times you need a server to grab a deploy key… i had been grabbing the private deploy key from hashicorp vault or aws ssm - but then writing to a file . Didn’t think of temporary add to a ssh-agent!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Nice trick

2018-12-19

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
What Is AWS Client VPN? - AWS Client VPN

Enable access to your VPC and on-premises network from anywhere, on any device.

fb-wow1
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh joy!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

just something in time for the holidays… a gift to the spammers & scammers for christmas

2018-12-16

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
mumoshu/falco-operator

Kubernetes operator for Sysdig Falco that allows developers to manage rules for detecting intruders and backdoors - mumoshu/falco-operator

2

2018-12-05

aknysh avatar
aknysh
01:10:37 PM
3
pericdaniel avatar
pericdaniel

lololol

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

gravitational guys have reproduced the kubernetes exploit

2018-12-04

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
HashiCorp Vault 1.0

Today we are excited to announce the public availability of HashiCorp Vault 1.0. Vault is a tool to manage secrets and protect sensitive data for any infrastructure and application…

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@antonbabenko auto unseal has arrived

joshmyers avatar
joshmyers

About time.

antonbabenko avatar
antonbabenko

Beautiful

2018-12-03

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this is neat: https://privacy.com/

Privacy — Seamless & Secure Online Card Payments attachment image

Checkout securely online by creating unique virtual card numbers for every purchase. Avoid data breaches, unwanted charges, and stolen credit card numbers.

    keyboard_arrow_up