Today, managing secrets to protect access to sensitive data in Kubernetes is complicated. It adds lots of components that are troublesome for security professionals. As a result, this security layer in Kubernetes is not optimal.
This changes with Trousseau’s open source project software, available today. Secrets management can now be added to Kubernetes along with support for any key management encryption, starting with HashiCorp Vault. The Trousseau open source software is available here on GitHub.
Romuald Vandepoel, principal cloud architect with Ondat and the project lead for Trousseau, said, “There have been previous projects that attempted to solve this problem, but they required adding lots of components. Naturally, security teams didn’t like that approach because it introduced additional complexity making security more difficult. Secrets management has always been one of the most difficult issues in Kubernetes and the Trousseau Vault integration provides the long-sought answer to that problem.“
Trousseau uses Kubernetes etcd to store API object definitions and states. The Kubernetes secrets are shipped into the etcd key-value store database using an in-flight envelope encryption scheme with a remote transit key saved in a KMS. Secrets protected and encrypted with Trousseau and its native Kubernetes integration can connect with a key management system to secure database credentials, a configuration file or TLS (Transport Layer Security) certificate that contains critical information and is easily accessible by an application using the standard Kubernetes API primitives.
“We’re realizing two big benefits of Trousseau – first, simplicity as a plugin with the existing KMS, HashiCorp Vault, and second, integrating with GitOps workflows using the native Kubernetes API,” said Bill Wong, CEO, SunnyVision Limited. “It’s provided us with the added security we need without disruption.”
With Trousseau, any user/workload can leverage the native Kubernetes way to store and access secrets in a safe way by plugging into any KMS provider, like Hashicorp Vault (Community and Enterprise editions), using the Kubernetes KMS provider framework. No additional changes or new skills are required. It’s also possible to transition among Kubernetes platforms using the consistent Kubernetes API.
Trousseau is currently being rolled out in a production customer implementation on Suse Rancher Kubernetes Engine 2 leveraging Ondat as the data management platform, along with Hashicorp Vault.
“This lack of a standardized approach to secrets management in Kubernetes has been detriment to security, and the complexity has been an impediment to adoption in certain cases,” said Asvin Ramesh, Senior Director, Alliances, Hashicorp. “We’re excited to support the Trousseau Vault open-source initiative which tackles this problem by delivering a new level of simplicity for Kubernetes users, along with better security protection.”
For more information, read How to keep a secret secret within Kubernetes, and join the Data on Kubernetes Meetup Unravel the Key to Kubernetes Secrets workshop on February 16.
About the Trousseau Project
Conceived in November 2020, the “why” behind Trousseau was presented at FOSDEM early in 2021, and the first open-source software made available in December. It provides native Kubernetes secrets management for controlled access to sensitive data that simplifies and brings better security to Kubernetes.
Ondat is the Kubernetes-native platform for running stateful applications, anywhere, at scale. Ondat delivers persistent storage directly onto any Kubernetes cluster for running business-critical, stateful applications safely across any public, private and hybrid clouds. For development, DevOps professionals and technology executives, it provides an agnostic platform to run any data service anywhere while ensuring industry-leading levels of application performance, high availability and security.