A containerd runc shim for replacing environment variables with external secrets

Related tags

ext-secrets-runc-shim
Overview

ext-secrets-runc-shim

A containerd, runc-based, shim for replacing environment variables with secrets from arbitrary external engines.

Quickstart

Installation

There is likely a better way to do this, but in the meantime, the quickest way to set a node up with this shim is to replace the runtime_type of the default runc shim.

First, go to the releases page and download the binary for your system architecture. Once it is downloaded, place it in the default PATH on your Kubernetes node(s). It is important that you name the binary containerd-shim-ext-secrets-runc-v1. You may replace the ext-secrets-runc part depending on the runtime_type you specify below.

Alternative to downloading, clone this repository and run make. The output will be in test/shim

While this project is very early-stages POC and not recommended for daily usage, an obvious more persistent and scalable installation would be to bake the binary and following configurations into your node image(s) or bootstrap.

Edit /etc/containerd/config.toml and replace the contents of the following section as so:

[plugins.cri.containerd.runtimes.runc]
  # This is an existing value that needs to be changed
  runtime_type = "io.containerd.ext-secrets-runc.v1"
  # On most installations you will need to add this parameter to the section
  pod_annotations = ["ext-secrets.runc.io/*"]

And that's it! All pods on this node should now run via the shim. No Webhooks, no Custom Resources, no CLI commands.

Usage

Usage will vary depending on the secret provider. But the commonality amongst all of them is how they are invoked. Simply, replace the value key in your environment variable configurations with something like the following:

      env:
      - name: PASSWORD
        value: ext-secret:ssm:secrets/my-secret-password

Where the breakdown of the "path" expressed in value is: ext-secret:<provider>:<secret_path>.

Caveats apply depending on the secret provider used. See below for more details on what each provider assumes/requires.

Secret Providers

Below is a table of the secret providers implemented and/or tested. Since this project is stil POC, tested in this case implies a basic functionality test has been done.

Provider Tag Implemented Tested
Vault vault ✔️ ✔️
AWS SSM ssm ✔️
Google Secret Manager gsm ✔️
Azure Key Vault akv ✔️

Feel free to open a PR to track the implementation of other secret storage engines.

Caveats

Vault

Kubernetes service account authentication is used to retrieve a vault token. The service account of the pod being created is used. Additionally, the following pod annotations are parsed for configurations:

# ...
metadata:
  annotations:
    # The addres to the vault server
    ext-secrets.runc.io/vault-addr: https://vault.example.com:8200
    # The auth role to use when retrieving a vault token
    ext-secrets.runc.io/vault-auth-role: ext-secrets
# ...

The Vault address must resolve from outside the Kubernetes network.

See the simple test pod for an example.

SSM

The default credential chain on the node running the pod is used when retrieving the secret value.

Google Secret Manager

The default credential chain on the node running the pod is used when retrieving the secret value.

Azure Key Vault

The default credential chain on the node running the pod is used when retrieving the secret value. Additionally, the following pod annotations are parsed for configurations:

# ...
metadata:
  annotations:
    # The KeyVault Base URL
    ext-secrets.runc.io/keyvault-base-url: https://myakv.vault.azure.net
# ...

Building and Testing Locally

The Makefile contains helpers for testing the shim locally in a k3d cluster. You must have at least the following installed on your system for various targets:

  • go
  • docker
  • kubectl
  • helm

To build the shim:

make
# OR
make build

To spin up a k3d cluster (k3d will be installed locally) using the shim with a configured vault installation:

make k3d-up

To tear down the k3d environment:

make k3d-down

To run an e2e test with vault as the secret backend:

make testacc
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

null 1k Jul 24, 2021
Not Yet Another Password Manager written in Go using libsodium

secrets Secure and simple passwords manager written in Go. It aims to be NYAPM (Not Yet Another Password Manager), but tries to be different from othe

Jarmo Pertman 25 Apr 12, 2021
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

HashiCorp 21.5k Jul 20, 2021
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Paul 3.2k Jul 22, 2021
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with ?? by edoardottt. Share on Twitter! P

gilfoyle97 72 Jul 18, 2021
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 10.3k Jul 24, 2021
Telling tales on you for leaking secrets!

Squealer Telling tales on you for leaking secrets! Squealer scans a local git repository for secrets that are being leaked deep within the commit hist

Owen Rumney 107 Jul 24, 2021
Friends don't let friends leak secrets on their terminal window

senv - safer env Friends don't let friends leak secrets in terminal windows. ?? Print your environment to the terminal without worry.

null 80 Jun 20, 2021
Implementation of Secret Service API

Secret Service Implementation of Secret Service API What does this project do? By using secret service, you don't need to use KeePassXC secretservice

Remisa Yousefvand 22 Jul 21, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.3k Jul 16, 2021
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Filippo Valsorda 6.4k Jul 21, 2021
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 6.1k Jul 23, 2021
Fast web fuzzer written in Go

/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \

null 4.9k Jul 25, 2021
Cameradar hacks its way into RTSP videosurveillance cameras

Cameradar An RTSP stream access tool that comes with its library Cameradar allows you to Detect open RTSP hosts on any accessible target host Detect w

Brendan Le Glaunec 2.6k Jul 23, 2021