secrets management in mesos
play

Secrets Management in Mesos Vinod Kone ( vinodkone@apache.org ) - PowerPoint PPT Presentation

Sep 04, 2022 •111 likes •397 views

Secrets Management in Mesos Vinod Kone ( vinodkone@apache.org ) MesosCon EU 2017 About me Apache Mesos PMC and Committer Engineering Manager for Mesos team @ Mesosphere Previously Tech Lead for Mesos team @ Twitter PhD in

  1. Secrets Management in Mesos Vinod Kone ( vinodkone@apache.org ) MesosCon EU 2017

  2. About me ● Apache Mesos PMC and Committer ● Engineering Manager for Mesos team @ Mesosphere ● Previously Tech Lead for Mesos team @ Twitter ● PhD in Computer Science @ University of California Santa Barbara

  3. What is a secret? ● Any sensitive information ○ Passwords ○ SSH Keys ○ Certificates ○ API Keys ● Secrets should only be visible to authorized users ○ Typically only to the owner of the secret

  4. How should we handle secrets? ● Time in transit should be minimized ● Avoid persisting to disk if possible ● Limit possibility of interception

  5. Use case #1: Image pull secrets ● How to download images from a private Docker registry? ○ Needs credentials to authenticate Existing Solutions Limitations Docker Containerizer ● URIs accessible to all tasks / users ● Registry 1.0: Add .dockercfg as a TaskInfo URI. $HOME is ● Credentials are downloaded to sandbox => visible on host fs even after container terminates set to $MESOS_SANDBOX ● Registry 2.0: Add docker.tar.gz as a TaskInfo URI. Archive should contain .docker/config.json

  6. Use case #1: Image pull secrets ● How to download images from a private Docker registry? ○ Needs credentials to authenticate Existing Solutions Limitations Docker Containerizer ● URIs accessible to all tasks / users ● Registry 1.0: Add .dockercfg as a TaskInfo URI. $HOME is ● Credentials are downloaded to sandbox => visible on host fs set to $MESOS_SANDBOX ● Registry 2.0: Add docker.tar.gz as a TaskInfo URI. Archive should contain .docker/config.json Mesos Containerizer ● Credentials need to be configured by operators and not ● Add docker credentials to each agent via --docker_config application developers ● Per task credentials are not supported flag

  7. Use case #2: Application secrets ● An application (Mesos task) needs access to credentials to talk to other services Existing Solutions Limitations Pass secrets via `data` or `labels` in TaskInfo ● Labels exposed in API endpoints ● TaskInfo is visible on network without SSL

  8. Use case #2: Application secrets ● An application (Mesos task) needs access to credentials to talk to other services Existing Solutions Limitations Pass secrets via `data` or `labels` in TaskInfo ● Labels exposed in API endpoints ● TaskInfo is visible on network without SSL Fetch secrets from URIs ● No support for authenticated URIs ● Downloaded to sandbox => visible on host fs even after container termination

  9. Use case #2: Application secrets ● An application (Mesos task) needs access to credentials to talk to other services Existing Solutions Limitations Pass secrets via `data` or `labels` in TaskInfo ● Labels exposed in API endpoints ● TaskInfo is visible on network without SSL Fetch secrets from URIs ● No support for authenticated URIs ● Downloaded to sandbox => visible on host fs Out of band mechanisms (hooks, isolator modules) ● Complicated ● Not reusable

  10. Use case #3: Executor authentication ● Executors need to authenticate with agents with unique credentials ○ Credentials need to be securely passed to the executor

  11. Use case #3: Executor authentication ● Executors need to authenticate with agents with unique credentials ○ Credentials need to be securely passed to the executor ● There is historically no native support for executor authentication ○ Neither in v0 or v1 APIs ○ Tasks can spoof as executors!

  12. Goals ● Add first class support for Secrets in Mesos ● Integrate with 3rd party secret stores (e.g., HashiCorp Vault) ● Support environment based and file based secrets

  13. Solution overview ● Secret ● Secret Resolver ● Secret Isolators ○ `environment_secret` ○ `volume/secret`

  14. Secret Protobuf

  15. Secret Resolver Interface

  16. Architecture Isolator Secret Secret::Value Secret Resolver Secret Store Secret::Value Secret Provisioner

  17. Image pull secrets

  18. Image pull secrets workflow Secret Store TaskInfo Secret Resolver Image::Docker Provisioner -- Docker::config : foo Agent Docker Registry Secrets not visible to container! Container

  19. Environment based secrets

  20. Environment based secrets workflow Secret Store TaskInfo Secret Environment::Variable Resolver -- name : foo environment_secret isolator -- secret::Reference::name : bar Agent Environment foo : bar_value Task

  21. File based secrets

  22. File based secrets workflow Secret Store TaskInfo Secret Volume Resolver -- container_path : /secret volume/secret isolator -- source::secret::Reference::name : bar Agent Container tmpfs volume bar_value /secret Deleted after container termination

  23. Feature Status ● Secrets support included in Mesos 1.3.0 ○ Mesos Containerizer support for Image pull secrets ○ Environment based secrets ○ File based secrets ● Secret Resolver ○ Interface is modularized ○ `Value` based resolver included in Mesos repo ○ `Reference` based resolver can be implemented as a module

  24. Demo

  25. Future Work ● Image pull secrets ○ Support for Docker Containerizer ○ AppC / OCI support for Mesos Containerizer ● URI fetching ○ Use secrets to fetch URIs that require authentication ○ Fetch https URIs with TLS/SSL certificates

  26. Acknowledgements ● Gilbert Song ● Kapil Arya ● Jie Yu ● Chun-Hung Hsiao ● Adam Bordelon

  27. Thanks Design docs: Image pull secrets, File based secrets, Executor authentication

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and

Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and

Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and Committer Engineering Manager for Mesos team @ Mesosphere Previously Tech Lead for Mesos team @ Twitter PhD in Computer Science @

429 views • 24 slides
MESOS & CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation

MESOS & CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation

MESOS & CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation support (a.k.a the docker like thing) Yan Xu xujyan WHAT IS A CONTAINER Loosely defined: a lightweight VM / OS-level virtualization /

620 views • 34 slides
Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook

Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook

Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook we all have secrets and these secrets matter to us thats what makes them secrets software should keep our secrets some secrets are awful

1k views • 75 slides
How Yelp.com Runs on Apache Mesos in AWS Spot Fleet for Fun and Profit (75% Off) Kyle Anderson -

How Yelp.com Runs on Apache Mesos in AWS Spot Fleet for Fun and Profit (75% Off) Kyle Anderson -

How Yelp.com Runs on Apache Mesos in AWS Spot Fleet for Fun and Profit (75% Off) Kyle Anderson - Yelp Yelps Mission Connecting people with great local businesses. Part 0: Spot / Spot Fleet Primer Part 1: Spot Fleet management + Mesos

1.06k views • 53 slides
APACHE COTTON MySQL on Mesos Yan Xu xujyan 1 SHORT HISTORY Mesos: cornerstone of

APACHE COTTON MySQL on Mesos Yan Xu xujyan 1 SHORT HISTORY Mesos: cornerstone of

APACHE COTTON MySQL on Mesos Yan Xu xujyan 1 SHORT HISTORY Mesos: cornerstone of Twitters compute platform. MySQL: backbone of Twitters data platform. Mysos: started as a hackweek project @twitter. Apache Cotton:

686 views • 35 slides
Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
Challenges in Optimizing Job Scheduling on Mesos Alex Gaudio Who Am I? Data Scientist and

Challenges in Optimizing Job Scheduling on Mesos Alex Gaudio Who Am I? Data Scientist and

Challenges in Optimizing Job Scheduling on Mesos Alex Gaudio Who Am I? Data Scientist and Engineer at Sailthru Mesos User Creator of Relay.Mesos Who Am I? Data Scientist and Engineer at Sailthru Distributed Computation

1.67k views • 137 slides
Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to

Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to

NAHPXXJI6KNA Book ^ Presentation Secrets Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to describe. It typically does not price an excessive amount of. It is extremely difficult to leave it before

260 views • 3 slides
M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A

M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A

M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A P I S Scheduler API Executor API Internal API S l a v e S c h e d u l e r M a s t e r E x e c u t o r Operator API D E P E N D E N C E O N

481 views • 34 slides
Nvidia GPU Support on Mesos: Bridging Mesos Containerizer and Docker Containerizer MesosCon Asia

Nvidia GPU Support on Mesos: Bridging Mesos Containerizer and Docker Containerizer MesosCon Asia

Nvidia GPU Support on Mesos: Bridging Mesos Containerizer and Docker Containerizer MesosCon Asia - 2016 Yubo Li Research Stuff Member, IBM Research - China Email: liyubobj@cn.ibm.com 1 Dr. Yubo Li is a Researcher Stuff Member at IBM

486 views • 35 slides
Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1 About Docker at OVH 2014-2015: Home-made container orchestrator, Sailabove, based on LXC 2016: Switch to Docker & Mesos/Marathon 6

487 views • 19 slides
Mesos Networking with Project Calico Ed Harrison and Neil Jerram Christos Kozyrakis, Spike

Mesos Networking with Project Calico Ed Harrison and Neil Jerram Christos Kozyrakis, Spike

Mesos Networking with Project Calico Ed Harrison and Neil Jerram Christos Kozyrakis, Spike Curtis, Kapil Arya, Dan Osborne, Connor Doyle, Niklas Nielsen, Tarak Parekh, Alex Pollitt The State of Mesos Networking Containers share the slave

285 views • 25 slides
Serenity MESOS OVERSUBSCRIPTION MODULE Szymon Konefa SOFTWARE ENGINEER INTEL CORPORATION

Serenity MESOS OVERSUBSCRIPTION MODULE Szymon Konefa SOFTWARE ENGINEER INTEL CORPORATION

Serenity MESOS OVERSUBSCRIPTION MODULE Szymon Konefa SOFTWARE ENGINEER INTEL CORPORATION Agenda Oversubscription Basics Oversubscription in Mesos Serenity Architecture Next steps for Serenity & Mesos Oversubscription

626 views • 24 slides
An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier

An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier

An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier benjamin.bannier@mesosphere.io Software engineer at Mesosphere working on Mesos Distributed columnar databases at ParStream (now Cisco ParStream) Experimental High

755 views • 32 slides
Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an

Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an

XUECRQXNRXVS Book Presentation Secrets Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an remarkable book which i have ever go through. It can be writter in simple terms and not difficult to

343 views • 3 slides
Mesos + Singularity: Mesos + Singularity: PaaS automation for mortals PaaS automation for

Mesos + Singularity: Mesos + Singularity: PaaS automation for mortals PaaS automation for

Mesos + Singularity: Mesos + Singularity: PaaS automation for mortals PaaS automation for mortals Gregory Chomatas @gchomatas PaaS team 120 meters: My shortest travel to a Conference 120 meters: My shortest travel to a Conference Miletus

427 views • 38 slides
The Evolving Architecture of the Web Nick Sullivan Head of Cryptography CFSSL Universal SSL

The Evolving Architecture of the Web Nick Sullivan Head of Cryptography CFSSL Universal SSL

The Evolving Architecture of the Web Nick Sullivan Head of Cryptography CFSSL Universal SSL Keyless SSL Privacy Pass Geo Key Manager Recently Standards work TLS 1.3 C on peting Goals make browsing more performant private HTTP DNS

789 views • 77 slides
Using R to Analyze Recruiting Pipelines Maryam Jahanshahi Scientist @ TapRecruit @mjahanshahi

Using R to Analyze Recruiting Pipelines Maryam Jahanshahi Scientist @ TapRecruit @mjahanshahi

Using R to Analyze Recruiting Pipelines Maryam Jahanshahi Scientist @ TapRecruit @mjahanshahi Jenny Dearborn @ DearbornJenny If you were to ask your CFO to make a decision, she would rely on facts, not opinions. In contrast, for years, the HR

307 views • 12 slides
Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time

Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time

I-SHARE ALMA PRIMO VE OFFICE HOURS WILL START SHORTLY Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time permits, we will respond to questions typed in the chat box, and offline afterwards, as needed

298 views • 9 slides
Ordinary DNS: www.google.com A? Client's k.root-servers.net com. NS a.gtld-servers.net Resolver

Ordinary DNS: www.google.com A? Client's k.root-servers.net com. NS a.gtld-servers.net Resolver

Ordinary DNS: www.google.com A? Client's k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 www.google.com A? Client's a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com A

375 views • 13 slides
ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Mobile & Service Robotics

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Mobile & Service Robotics

ROBOTICS 01PEEQW Basilio Bona DAUIN Politecnico di Torino Mobile & Service Robotics Sensors for Robotics 2 Sensors for mobile robots Sensors are used to perceive, analyze and understand the environment around the robot

1.04k views • 38 slides
Privacy-Preserving DNS Analysis of Broadcast, Range Queries and Mixes Hannes Federrath,

Privacy-Preserving DNS Analysis of Broadcast, Range Queries and Mixes Hannes Federrath,

Privacy-Preserving DNS Analysis of Broadcast, Range Queries and Mixes Hannes Federrath, Karl-Peter Fuchs, Dominik Herrmann , Christopher Piosecny University of Hamburg (Germany) 1 Agenda Missing Privacy in DNS Characteristics of DNS Traffic

559 views • 24 slides
EE 457 Unit 9b In-Order Completion Speculation 2 Credits Some of the material in this

EE 457 Unit 9b In-Order Completion Speculation 2 Credits Some of the material in this

1 EE 457 Unit 9b In-Order Completion Speculation 2 Credits Some of the material in this presentation is taken from: Computer Architecture: A Quantitative Approach John Hennessy & David Patterson Some of the material in this

886 views • 49 slides
DNS-over-HTTPS (DoH) Arve Gengelbach October 25, 2019 Cryptoparty, Uppsala 1 HTTPS 2 3 4 5

DNS-over-HTTPS (DoH) Arve Gengelbach October 25, 2019 Cryptoparty, Uppsala 1 HTTPS 2 3 4 5

DNS-over-HTTPS (DoH) Arve Gengelbach October 25, 2019 Cryptoparty, Uppsala 1 HTTPS 2 3 4 5 6 HTTPS Encrypt traffic to ensure confidentiality, integrity and authenticity. Only browser and server read the communication The

839 views • 28 slides

More recommend