Red Hat SummitHow to manage Kubernetes Secrets with Red Hat OpenShift
Learn the basics of Kubernetes Secrets and how Red Hat® OpenShift® can help you get the most out of your preferred Kubernetes Secrets management strategy.
How to manage Kubernetes Secrets with Red Hat OpenShift
Most organizations must keep secrets—pieces of information or data that should only be accessed by specific people or workloads (like passwords, confidential data, TLS certificates, etc). A dedicated secrets management system is specifically designed to handle sensitive data and connect to different platforms, including Kubernetes.
Using an external system for managing secrets gives organizations an extra layer of security and the ability to establish a higher level “command center” where secrets can be audited, monitored, and controlled. This helps limit the uncontrolled spread of self-managed secrets within Kubernetes. Additionally, these systems can automate the entire lifecycle of a secret—including tasks like automatically rotating them, setting expiration dates, and revoking access. This helps reduce the risk of secrets becoming compromised over time.
Secrets management in Red Hat® OpenShift® is designed to be flexible and work with a variety of tools, so organizations are not locked in with a single vendor. This is achieved through an operator and plugin architecture which separates workloads and applications from the secrets manager. The workload doesn't need to know where or how a secret is stored. Instead, the operator, in combination with the vendor plugin, acts as the intermediary. The plugin handles all communication between the Red Hat OpenShift cluster and the external secrets manager, and the operator handles all communication between the plugin and the workloads. Because the system is built this way, any vendor can create a plugin as long as it follows the specific rules and APIs defined by the operator.
Red Hat OpenShift supports several options for managing secrets:
- Secrets Store CSI Driver: allows Kubernetes to access and use multiple secrets, keys, and certificates from external secret management systems.
- External Secrets Operator: synchronizes secrets from external management systems into Kubernetes Secrets and manages them in Red Hat OpenShift.
- Cert-manager: adds certificates and certificate issuers as type:Secret within a Kubernetes cluster.
What is included in this learning path?
- What is a Kubernetes Secret?
- Approaches to managing Kubernetes Secrets and other credentials in Red Hat OpenShift
- Introductions to Secrets Store CSI Driver, External Secrets Operator, and cert-manager
- Available partner and vendor integrations
What will you get?
- An understanding of what Kubernetes Secrets are and how they work
- Best strategies for managing Kubernetes Secrets for different workload requirements
- How to get the most out of your preferred Kubernetes Secrets management methods using Red Hat OpenShift
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}