Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Bastian Hofman Compliance & Hardware Security Module (HSM) integration ● Costs, scalability & productivity HashiCorp Vault Provides the foundation for cloud security that leverages trusted sources of identity to keep gartner.com/en/documents/3988410/critical-capabilities-for-privileged-access-management Vault Workflow Overview Vault Principles API (HTTP Rest / KMIP) Identity Policy / Governance Audit Dynamic Secrets

或更高版本部署的新集群才支持加密。没有使用外部 密钥管理系统 (KMS) 的现有加密集群无法迁移为使用外部 KMS。 以前，HashiCorp Vault 是唯一支持集群范围的 KMS 和持久性卷加密的 KMS。在 OpenShift Data Foundation 4.7.0 和 4.7.1 中，只支持 HashiCorp Vault Key/Value (KV) secret engine API，支持版本 1。 从 OpenShift OpenShift Data Foundation 4.7.2 开始，支持 HashiCorp Vault KV secret engine API、版本 1 和 2。从 OpenShift Data Foundation 4.12 开始，Thales CipherTrust Manager 已被作为额外支持的 KMS 被引进。 重要 重要 Red Hat OpenShift Data Foundation 订阅。如需更多信息，请参阅 OpenShift Data Foundation 订阅中的知 识库文章。 红帽与技术合作伙伴合作，将本文档作为为客户提供服务。但是，红帽不为 Hashicorp 产品提供支持。有 关此产品的技术协助，请联系 Hashicorp。 5.3.1. 集群范围的加密 Red Hat OpenShift Data Foundation 支持存储集群中所有磁盘和多云对象网关操作的集群范围加密

Kubernetes secrets: HashiCorp Vault Watch: https://www.youtube.com/watch?v=B16YTeSs1hI HashiCorp Vault KMS plugin for Kubernetes ● Secrets are in etcd, with root of trust in Vault Kubernetes auth backend backend for HashiCorp Vault ● Authenticate to Vault using a K8s service account Kubernetes secrets: requirements Kubernetes default Identity External secrets provider 1.7 EncryptionConfig 1.10 Azure Key Vault: https://github.com/Azure/kubernetes-kms ● AWS KMS: https://github.com/kubernetes-sigs/aws-encryption-provider ● HashiCorp Vault: https://github.com/oracle/kubernetes-vault-kms-plugin

via RetryPolicy of state components (Medium) DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) Orchestration Hardening Network Policy Zero-Trust Concepts RBAC Secrets Management DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) It was found that the SecretStore implementation of the Hashicorp’s secret vault is vulnerable to a HTTP Parameter Pollution vulnerability unintended for Dapr. Affected File: github.com/dapr/components-contrib@v0.8.0/secretstores/hashicorp/vault/vault.go Affected Code: func (v *vaultSecretStore) GetSecret(req secretstores.GetSecretRequest)

skip server config verify which is unsafe!") } Not all components follow this practice. The Hashicorp Vault Secretstore component labels the option “Insecure” but does not log a warning. Other components requests it. The attacker is likely to be an insider who has certain privileges. Example 1: Vault If the Vault SecretStore component does not receive a successful response from the remote store, Dapr copies https://github.com/dapr/components-contrib/blob/cfbac4d794b35e5da28d65a13369d33383fb6ad4/sec retstores/hashicorp/vault/vault.go#L247 19 Dapr security audit 2023 if httpresp.StatusCode != http.StatusOK { var b bytes

Parameter Pollution in Hashicorp secret vault (Low) Status: Open While reviewing the Dapr source code, it was noticed that the HTTP parameter pollution inside the Hashicorp vault code is still possible

Copyright © 2019 HashiCorp Consul及Consul Connect介紹 Service Mesh Made Easy 劉宇雷-Hashicorp Solutions Engineer Agenda 1. 服務網格是什麼? 簡要歷史回顧 2. 什麼是Consul，它如何工作? 3. 演示: 如何在非容器化的環境下使用Consul的服 務網格 4. 問&答 整個軟件的所有功能模塊是否都能夠容器化？ ▪ 是不是所有容器化了的微服務都能夠在同一個集群/數據中心/公有雲運帷？ Hashicorp聯合創始人 Armon Dadgar Mitchell Hashimoto Co-Founders and Co-CTOs Products: Terraform, Vault, Consul, Nomad, Packer, Vagrant 公有雲出現之前的軟件網絡安全 Crawl-Walk-Run Approach ⁄ Questions? Thank You! Yulei Liu Solutions Engineer Hashicorp � github.com/ausmartway � yulei@hashicorp.com

应用程序 用程序 86 1. 创建一个新项目： 2. 将一个 Helm chart 存储库添加到本地 Helm 客户端： 输 输出示例 出示例 3. 更新存储库： 4. 安装 HashiCorp Vault 示例： 输 输出示例 出示例 5. 验证 chart 是否已成功安装： 输 输出示例 出示例 6.3.2. 使用 Developer 视角安装 Helm chart 您可以使用 new-project vault $ helm repo add openshift-helm-charts https://charts.openshift.io/ "openshift-helm-charts" has been added to your repositories $ helm repo update $ helm install example-vault openshi openshift-helm-charts/hashicorp-vault NAME: example-vault LAST DEPLOYED: Fri Mar 11 12:02:12 2022 NAMESPACE: vault STATUS: deployed REVISION: 1 NOTES: Thank you for installing HashiCorp Vault! $ helm list

Helm。 流程 流程 1. 创建一个新项目： 2. 将一个 Helm chart 存储库添加到本地 Helm 客户端： 输 输出示例 出示例 3. 更新存储库： 4. 安装 HashiCorp Vault 示例： 输 输出示例 出示例 5. 验证 chart 是否已成功安装： 输 输出示例 出示例 7.3.2. 使用 Developer 视角安装 Helm chart 您可以使用 new-project vault $ helm repo add openshift-helm-charts https://charts.openshift.io/ "openshift-helm-charts" has been added to your repositories $ helm repo update $ helm install example-vault openshi openshift-helm-charts/hashicorp-vault NAME: example-vault LAST DEPLOYED: Fri Mar 11 12:02:12 2022 NAMESPACE: vault STATUS: deployed REVISION: 1 NOTES: Thank you for installing HashiCorp Vault! $ helm list

be added for how to harden the boundary between these sidecars at a cluster level. Tools like Hashicorp vault provide addi- tional secret management controls and a Dynamic Admission Controller-based approaches