Trousseau bolsters its Kubernetes security capabilities with support for HashiCorp Vault

The project managers of an open-source plug-in for Kubernetes that allows the orchestration software to better use encryption to protect its secrets has announced support for its first key management provider. The move is a step forward for Trousseau, the plug-in that creates a universal way to protect secrets in Kubernetes.

Without Trousseau, managing secrets to protect sensitive data in Kubernetes can be complicated. Many components need to be created to support the process, which can be a headache for security teams. With Trousseau, secrets management can be added easily to Kubernetes along with support for any key management encryption providers.

HashiCorp Vault is the first Key Management System provider to be announced for the plug-in by project manager Ondat, but more are planned down the road.

Secrets management in Kubernetes has always been difficult

“There have been previous projects that attempted to solve this problem, but they required adding lots of components,” Romuald Vandepoel, principal cloud architect with Ondat and the project lead for Trousseau, said in a news release. “Naturally, security teams didn’t like that approach because it introduced additional complexity making security more difficult.”

“Secrets management has always been one of the most difficult issues in Kubernetes,” he added.

Trousseau acts as a proxy

Trousseau uses Kubernetes etcd to store API object definitions and states. The Kubernetes secrets are shipped into the etcd key-value store database using an in-flight envelope encryption scheme with a remote transit key saved in a KMS.

Secrets protected and encrypted with Trousseau and its native Kubernetes integration can connect with a KMS to secure database credentials, a configuration file or TLS certificate that contains critical information and is easily accessible by an application using the standard Kubernetes API primitives.

“Kubernetes talks to Trousseau — they speak the same language — then it’s the job of Trousseau to talk to the key management system providers and act as a translator,” Nicolas Vermande, a principal developer advocate at Ondat, tells CSO. “Trousseau acts as a proxy that allows Kubernetes to talk to the backend of the KMS provider without any friction.”

Getting cloud-native security “right”

Ratan Tipirneni, president and CEO of Tigera, a container security provider, explains that getting cloud-native security right requires the right security architecture. “One important component of this architecture is to be able to secure passwords, API keys, and secrets in a manner that supports the highly dynamic and automated nature of Kubernetes,” he says.”We also believe that all the components in the security architecture should be implemented in a kube-native manner, so that day-two operations don’t expose new holes as various components are upgraded on an ongoing basis.”

“This is why we believe that Trousseau’s approach to secret management implemented in a kube-native manner is an elegant architecture,” Tipirneni says.

A lot of security problems stem from developers being under pressure to get things out quickly and the difficulty of building systems or code securely, adds Mike Parkin, an engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation. “Managing secrets in Kubernetes is a known challenge, so a project like this that makes it easier is welcome. Being an open-source project should help with adaptation and having many eyes on the code will help keep it secure.”