Dynamically Provisioning App Secrets during Container Run Time
Imran Shaikh, YellowPages
How to put application secrets/credentials securely into the image has baffled quite a few industry experts. The solutions that people employ are insecure, static, and not scalable. Novice users bake secrets into the image. When they publish it to the registry, anyone can pull the image and secrets would be at their disposal.
Advanced users mount the secrets through volumes during the container run. Someone who has access to the machine can mount the same volume and can access secrets for all the images. Other advanced users pass it through ENV variables which is open for snooping for anybody that has access to the machine.
Paranoid users employ public key and elliptic key cryptography to encrypt the secrets in the image using public key. Image is then pushed to the registry. It is safe from snooping. And the secrets can be decrypted only through the private key that is resident on the host machine. But again, this solution is static.
None of these aforementioned solutions truly fit the ephemeral nature of the containers. We should be able to provide secrets to the running container on any machine dynamically during the runtime.
We, at YellowPages, have devised a solution that addresses that concern.
Imran Shaikh breathes DevOps, embodies it and that is what will ooze out if you cut him. He is a Lead Systems Engineer working at YellowPages. He has an industry experience of 10+ year working with Fortune 500 companies. He has worked extensively developing, architecting and managing cloud technologies at YP as well as Yahoo. He has substantial experience running a globally distributed production environment on thousands of systems running hundreds of application in a complex, fast moving and mission critical environment.
Presently, his team is deploying and developing Mesos supported technologies that works at scale. Mesos solutions for centralized logging, metrics, distributed monitoring, distributed storage, application secrets etc. are being worked upon. His team is solving issues which some people think don't even exist.
Imran Shaikh, YellowPages
Imran Shaikh breathe DevOps, embodies it and that is what will ooze out if you cut him. He is a Lead Systems Engineer working at YellowPages. He has an industry experience of 10+ year working with Fortune 500 companies. He has worked extensively developing, architecting and managing cloud technologies at YP as well as Yahoo. He has substantial experience running a globally distributed production environment on thousands of systems running hundreds of application in a complex, fast moving and mission critical environment.
Presently, his team is deploying and developing Mesos supported technologies that works at scale. Mesos solutions for centralized logging, metrics, distributed monitoring, distributed storage, application secrets etc. are being worked upon. His team is solving issues which some people think don't even exist.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Imran Shaikh},
title = {Dynamically Provisioning App Secrets during Container Run Time},
year = {2015},
address = {Washington, D.C.},
publisher = {USENIX Association},
month = nov
}
connect with us