8

Hybrid Multi-cloud dynamic security management

 3 years ago
source link: http://wei-meilin.blogspot.com/2021/08/hybrid-multi-cloud-dynamic-security.html?utm_campaign=Feed%3A+blogspot%2FhFXzh+%28Christina+%E7%9A%84+J%E8%80%81%E9%97%86%29
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Hybrid multi cloud can be a difficult, this is my study of a real customer use case on their journey using GitOps, multi cluster management system and securing dynamic infrastructure secrets.

Quick recap, 

In my series of articles I went over the study I did among Red Hat customers that makes the jump towards deploying their workloads on hybrid and multi-cloud environments. These articles are abstractions of the common generic components summarized according to the actual implementations. 

To overcome the common obstacles of going hybrid and multi-cloud, such as finding talents with multi-cloud knowledge. Secure and protect across low trust networks or just day to day operation across the board. I have identify some solutions from the study, where I will be covering in the serie of articles: 

  • Briefing of the Hybrid Multi-cloud study.

  • Overview of making Hybrid Multi-cloud GitOps works  

  • Hybrid Multi-cloud dynamic security management 

  • Observability in Hybrid Multi-cloud environment 

Dynamic Security Management,

Kubernetes offers it’s own secret management control, although it’s sufficient for running a single cluster, but when you are trying to manage multiple sets of credentials and secure configurations, especially with the introduction of automated process and continuous delivery practice. We need a better way to securely and centrally manage these data. 

How it works,

Checkout my previous article on the setup of the hybrid and multi cloud environment, and if you are interested, another article on getting the GitOps works. But for now, we are going to assume we have a fleet of clusters deployed on top of multiple cloud vendors, and one in the local data center. All the infrastructure is set as code and stored in a source management system. Where our GitOps system constantly coverage the managed clusters with its desired state.  In order to setup a secure way to manage credentials and configuration cross clusters, we need two components, 

  • External Secret management in OpenShift/Kubernetes
    • Enable use of external secret management systems (like HashiCorp Vault in this case) to securely add secrets into the OpenShift platform. 
  • Hashicorp Vault  
    • Secure centralized store for dynamic infrastructure and application across clusters. For low trust networks between clouds and data centers. 

vOHMI__Rjlgjxq40NkbB8EhU2dpxUvc7526KCGaOBNM7FbkRMOesLXcXpqWcZJAb1i_HqKprFbwAKP5deGEcqXRm3fDqkkEChMqDKLmiERau-yMqPfhZN3JDoSnmzCnw4ks_ZvWa

This is how the two components work together to manage secret in dynamic infrastructure: 

  1. During setup, the token to securely access HashiCorp Vault is stored in Ansible Vault. It is encrypted to protect sensitive content.

  2. Red Hat Advanced Cluster Management for Kubernetes (RHACM) allows us to have centralized control over the managing clusters. It acquires the token from Ansible Vault during install and distributes among the clusters.   

  3. To allow the cluster access to the external vault, we need to set up the external secret management. OpenShift Gitops is used to deploy the external secret object to a managed cluster. 

  4. External secret management fetches secrets from HashiCorp Vault using the token we created in step 2. And constantly watch for updates. 

  5. Secrets are created in each namespace, where applications can use.  

This is how to manage dynamic infrastructure secret in a multi cluster and cloud environment. 


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK