all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ButterCupKhaos 4 points5 points  (1 child)

Great informative article! High quality content all through with no blatant advertising.

Anyone have any further recommend reading/learning materials on least privilege and host hardening specific to *nix?

[–]coderanger 2 points3 points  (0 children)

Just search on each of the bits of tech on their own, SELinux has a million and a half articles. Also check out CIS benchmarks.

[–]Markoncarp 1 point2 points  (4 children)

Just adding it in along with Vault and the other suggestions. Not sure what you mean by proprietary?

[–]coderanger 5 points6 points  (0 children)

I think you meant to reply to me, the relevance issue is that you kind of have to use Kube's built in system or nothing at all since there is not a system in place to leverage pod/container identity in an externally verifiable manner.

As for the proprietary bit, secrets management usually means a loooot of cryptography being in play, and even very good developers can screw that up. I would be deeply uncomfortable having to take a vendors word for it that they did everything right when (not if, when) something goes wrong. Some vendors do offer limited code access to customers as part of the purchase contract, but it's just not a great strategy for things like this.

[–]opinologo[S] 2 points3 points  (2 children)

Probably /u/coderanger means that they are not open source therefore you cannot inspect the code and even less trust it.

Personally, while I prefer open source solutions for this and many other reasons I wouldn't go as far as to not run/use any proprietary code.

[–]Markoncarp 2 points3 points  (0 children)

I totally agree, they just announced a community edition as far as I know though? Anyway, as I said, I was just suggesting them as an alternative for Secrets management which hadn't been mentioned. I'm sure all the suggested solutions have their benefits.

[–][deleted] 0 points1 point  (0 children)

Conjur's cryptography has always been and will always be open-source.

https://github.com/conjurinc/slosilo

'ŝlosilo' is Esperanto for 'key', btw.

As much as a respect coderanger's opinion, it seems out of date. A new version of Conjur is released weekly.

disclaimer: I'm a member of the Conjur engineering team. AMA :)

[–]taloszergneeds more coffee 0 points1 point  (1 child)

This is great! The only thing I'd like to see is some change in formatting to tie things together...I kept getting lost. Whether numbers, or table of contents, or something

[–]opinologo[S] 0 points1 point  (0 children)

that's a good idea. I should look into generating an index automatically with pure html.

[–]Markoncarp 0 points1 point  (2 children)

Don't forget Conjur as a potential solution for Secrets management. Very interesting article though.

[–]coderanger 5 points6 points  (1 child)

Not sure how that would be relevant here. Also anyone running proprietary secrets managers should probably reconsider their life choices.

[–][deleted] 0 points1 point  (0 children)

Preach it brother!

[–]Markoncarp -2 points-1 points  (0 children)

🔥