richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3431 Commits
29 Branches
80 Tags
156 MiB
Tree: 82a28d6bb3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '82a28d6bb3'
${ noResults }
kubespray/docs/vault.md

95 lines
3.9 KiB
Raw Normal View History

Vault security hardening and role isolation
7 years ago
fix a typo
6 years ago
Vault security hardening and role isolation
7 years ago
rename almost all mentions of kargo
7 years ago
Vault security hardening and role isolation
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Vault security hardening and role isolation
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Vault security hardening and role isolation
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Vault security hardening and role isolation
7 years ago
  1. Hashicorp Vault Role
  2. ====================
  4. Overview
  5. --------
  7. The Vault role is a two-step process:
  9. 1. Bootstrap
  11. You cannot start your certificate management service securely with SSL (and
  12. the datastore behind it) without having the certificates in-hand already. This
  13. presents an unfortunate chicken and egg scenario, with one requiring the other.
  14. To solve for this, the Bootstrap step was added.
  16. This step spins up a temporary instance of Vault to issue certificates for
  17. Vault itself. It then leaves the temporary instance running, so that the Etcd
  18. role can generate certs for itself as well. Eventually, this may be improved
  19. to allow alternate backends (such as Consul), but currently the tasks are
  20. hardcoded to only create a Vault role for Etcd.
  22. 2. Cluster
  24. This step is where the long-term Vault cluster is started and configured. Its
  25. first task, is to stop any temporary instances of Vault, to free the port for
  26. the long-term. At the end of this task, the entire Vault cluster should be up
  27. and ready to go.
  29. Keys to the Kingdom
  30. -------------------
  32. The two most important security pieces of Vault are the ``root_token``
  33. and ``unsealing_keys``. Both of these values are given exactly once, during
  34. the initialization of the Vault cluster. For convenience, they are saved
  35. to the ``vault_secret_dir`` (default: /etc/vault/secrets) of every host in the
  36. vault group.
  38. It is *highly* recommended that these secrets are removed from the servers after
  39. your cluster has been deployed, and kept in a safe location of your choosing.
  40. Naturally, the seriousness of the situation depends on what you're doing with
  41. your Kubespray cluster, but with these secrets, an attacker will have the ability
  42. to authenticate to almost everything in Kubernetes and decode all private
  43. (HTTPS) traffic on your network signed by Vault certificates.
  45. For even greater security, you may want to remove and store elsewhere any
  46. CA keys generated as well (e.g. /etc/vault/ssl/ca-key.pem).
  48. Vault by default encrypts all traffic to and from the datastore backend, all
  49. resting data, and uses TLS for its TCP listener. It is recommended that you
  50. do not change the Vault config to disable TLS, unless you absolutely have to.
  52. Usage
  53. -----
  55. To get the Vault role running, you must to do two things at a minimum:
  57. 1. Assign the ``vault`` group to at least 1 node in your inventory
  58. 1. Change ``cert_management`` to be ``vault`` instead of ``script``
  60. Nothing else is required, but customization is possible. Check
  61. ``roles/vault/defaults/main.yml`` for the different variables that can be
  62. overridden, most common being ``vault_config``, ``vault_port``, and
  63. ``vault_deployment_type``.
  65. As a result of the Vault role will be create separated Root CA for `etcd`,
  66. `kubernetes` and `vault`. Also, if you intend to use a Root or Intermediate CA
  67. generated elsewhere, you'll need to copy the certificate and key to the hosts in the vault group prior to running the vault role. By default, they'll be located at:
  69. * vault:
  70. * ``/etc/vault/ssl/ca.pem``
  71. * ``/etc/vault/ssl/ca-key.pem``
  72. * etcd:
  73. * ``/etc/ssl/etcd/ssl/ca.pem``
  74. * ``/etc/ssl/etcd/ssl/ca-key.pem``
  75. * kubernetes:
  76. * ``/etc/kubernetes/ssl/ca.pem``
  77. * ``/etc/kubernetes/ssl/ca-key.pem``
  79. Additional Notes:
  81. - ``groups.vault|first`` is considered the source of truth for Vault variables
  82. - ``vault_leader_url`` is used as pointer for the current running Vault
  83. - Each service should have its own role and credentials. Currently those
  84. credentials are saved to ``/etc/vault/roles/<role>/``. The service will
  85. need to read in those credentials, if they want to interact with Vault.
  87. Potential Work
  88. --------------
  90. - Change the Vault role to not run certain tasks when ``root_token`` and
  91. ``unseal_keys`` are not present. Alternatively, allow user input for these
  92. values when missing.
  93. - Add the ability to start temp Vault with Host, Rkt, or Docker
  94. - Add a dynamic way to change out the backend role creation during Bootstrap,
  95. so other services can be used (such as Consul)