Bootstrapping Kubernetes Google Cloud Platform without scripts (opens in new tab)

(github.com)

153 pointskelseyhightower8y ago25 comments

25 comments

17 comments · 6 top-level

runeks8y ago· 7 in thread

Is it me, or does it seem weird to encrypt your secrets by uploading the secret key to GCP (contained in the config .yaml file)? I assume the controller instances are operated by Google in this[1] example.

Moreover, is there any sensible way at all to encrypt secrets without baking the secret key into your image? I can’t think of any.

I want to deploy an app that makes use of one or more fairly important secrets, but I haven’t found a sensible way to make it auto-scale while keeping the secrets on-premise.

As far as I can see, the only sensible solution is to create in-cloud/off-premise secret keys that can only be accessed by images signed with an on-premise secret key.

So,

1. Create secret key on an offline, on-premise machine

2. Produce application image, transfer to offline machine, sign with on-premise secret key

3. Create off-premise (in-cloud) secret, which can only be accessed by images signed with the on-premise secret key

4. Upload app image and signature to the cloud, allowing only this image access to the in-cloud secret

[1] https://github.com/kelseyhightower/kubernetes-the-hard-way/b...

philips8y ago

To do this sort of encryption at rest you need a root. There are essentially three common solutions:

1. Keep the secret key in memory. This can be annoying though as a system administrator needs to unlock every process as it comes up; automation can help but is rarely deployed. This is what Vault does for example. There is a long design doc that we all worked on with this as an eventual option[1] but it is unclear if there is a ton of utility for users to be unlocking API servers

2. Hide the secret key inside of hardware using something like an HSM or a TPM. This is really the state of the art however it doesn't really work well in many environments and requires good inventory management.

3. Give machines a stable cryptographic identity and exchange that identity for a secret key that is kept in memory. This solution sort of shifts the problem around but is generally a good tradeoff between automation and security. The idea is, similar to SSH host keys, on first boot a machine generates an identity and then a system administrator approves that identity and later gives that identity authorization to do tasks. Kubernetes has a lot of the groundwork in place for this and it is still underway[2].

[1]: https://github.com/destijl/community/blob/3418b4e4c6358f5dc7... [2]: https://github.com/kubernetes/features/issues/43

npmccallum8y ago

We are working on a solution to this problem in the Clevis project[0]. It is a basic FUSE filesystem that will transparently decrypt your secrets/configuration. It will evaluate your decryption policy on each open and log the attempt.

You can see the initial proof of concept[1]. It isn't secure yet, for a variety of reasons. But it is enough to play around with. Moving to a better encryption scheme will give us the ability to do locks and per-block validation.

[0]: https://github.com/latchset/clevis [1]: https://github.com/npmccallum/clevis/blob/fuse/src/clevis-fu...

sjeanpierre8y ago

In AWS the combination of IAM roles + Param store gives us a pretty decent version of this. We have the app talk to param store to get secrets then just keeps them in memory.

garblegarble8y ago

>Moreover, is there any sensible way at all to encrypt secrets without baking the secret key into your image? I can’t think of any.

Using PGP / GPG sounds like what you need

vikstrouss8y ago

Have you looked into docker swarm secrets? They work only with swarm services but I think they do what you want.

hosh8y ago

Kelsey Hightower has a repo experimenting with using HashiCorp Vault as a Secrets backend.

ctrlrsf8y ago

Have you considered using AWS KMS?

djb_hackernews8y ago· 3 in thread

This is great. I have been looking at Kubernetes for sometime and have struggled with adapting it to our deployment model. A lot of the tools and tutorials want someone to sit and run commands in order to start controllers and worker nodes but that doesn't make sense in our automated environment. What we really want is a way to bake AMIs etc that have everything ready to go and when we do a deployment or scale out it is as simple as starting an instance. This collection of labs lays a lot of that out and I think this is something we can work with.

felixgallo8y ago

Look into kops as well - great setup tool for well designed deployments.

djb_hackernews8y ago

We have, and as far as we could see it is a command line tool that needs to be run manually. This model doesn't work for us as we scale instances in and out by the dozens throughout the day. I could be missing something but anything that requires command line interaction isn't viable.

For instance, if we see that our worker cluster is has reached some consumed capacity threshold (CPU, memory, etc) then we need to add more worker nodes. The way we do this is via Auto Scaling Groups. Auto Scaling Groups work on launch configs that are essentially an AMI and instance user data. Getting an AMI that just has the Kubernetes stuff that can be started at will and told to join clusters at runtime has not been clear from the documentation I've read.

4 more replies

elsonrodriguez8y ago

Kops is ok, but it's a grey box that's meant to be used directly. It's also fairly AWS specific.

This guide is more of core recipe from which someone can bake automation with config management or custom images.

1 more reply

hosh8y ago· 1 in thread

I did something similar off of CoreOS's tutorial. So while I'm missing a lot of understanding of the newer functionality, going through this was worth it.

mdaniel8y ago

Another vote for CoreOS's repo; it was how I _really_ loaded k8s into my head, because the vagrant setup is multi-machine but _local_ and thus one can see what's going on and destroy-recreate it at will.

https://github.com/coreos/coreos-kubernetes/tree/master/mult...

I think one can choose which approach matches one's learning style, and I am very thankful we have both KTHW and coreos-kubernetes.

lima8y ago

I can highly recommend OpenShift and its Ansible deployment scripts. Documentation is very well-written and complete.

It takes care of all the annoying parts of Kubernetes and even has services like a full-featured Docker registry with ACLs and so on, a Docker build system and even a centralized logging mechanism (all optional, of course).

Running it in production. Couldn't be happier.

sleepybrett8y ago

The best way to actually understand how the kube components relate to each other and work together is to follow this guide.

MandieD8y ago

Going through the previous version of this tutorial really helped me, even though we're doing IBM Cloud private on-prem + Bluemix Container Service (don't ask.)

It works pretty well with Cloud Shell, in case you have corporate firewall issues. If your session is interrupted, run the commands that set the region and region zone again.

I can confirm that it costs about $6/day that the machines are provisioned, and is well worth it, but remember to run all the clean-up steps in the last chapter when you're done or if you're not going to finish it right away.

j / k navigate · click thread line to collapse