The adoption of Kubernetes and container-based platforms increases the need for security to protect cloud-first initiatives. An essential component of the Kubernetes security is authentication. Kubernetes clusters are machines and always need to be validated via machine identities to ensure the integrity and confidentiality of communications.
The majority (88%) of IT decision makers are exploring Kubernetes and containers, according to 2021 data from New Relic. However, as with any technology, new security concerns are emerging.
A Red Hat survey of Kubernetes adoption and security showed that
The main risks facing Kubernetes production environments can be summarized in the bullets below:
To address the above challenges, organizations are required to implement a series of policies and controls to secure their clusters. These controls include defining a network policy, pod security policy and managing the Kubernetes secrets. Besides these important controls, organizations must focus their efforts on controlling access to their clusters. The primary access point for a Kubernetes cluster is the Kubernetes API, therefore we need to authenticate and authorize both developers and services accessing the API. Controlling and limiting who can access the cluster and what actions they are allowed to perform is the first line of defense.
Kubernetes expects that all API communication in the cluster is encrypted by default with TLS. The majority of cluster installation methods allow the necessary certificates to be created and distributed to the cluster components.
API authentication covers both humans and clients accessing the API. For the human side of authentication, you must choose strong verification, based on multifactor authentication methods. The concept of least privilege is extremely crucial. Besides humans, you must also authenticate all API clients, even those that are part of the infrastructure like nodes, proxies, the scheduler, and volume plugins. These clients are typically service accounts or use X.509 client certificates, and they are created automatically at cluster startup or are setup as part of the cluster installation. Setting up an effective, flexible and scalable machine identity management program is the cornerstone of validating the authenticity of these machines.
Once authenticated, every API call passes an authorization check. Kubernetes ships an integrated Role-Based Access Control (RBAC) component that matches an incoming user or group to a set of permissions bundled into roles. These permissions combine verbs (get, create, delete) with resources (pods, services, nodes) and can be namespace-scoped or cluster-scoped. As with authentication, simple and broad roles may be appropriate for smaller clusters, but as more users interact with the cluster, it may become necessary to separate teams into separate namespaces with more limited roles.
The solution to overcome many of these challenges is to employ a common service for certificates via an API that is integrated with DevOps tooling. Venafi-as-a-Service integrates seamlessly with Kubernetes and Jetstack cert-manager to improve security and availability of your clusters, ensure compliance, and accelerate software development by reducing complexity. Combining the functionality and efficiency of Venafi and cert-manager allows DevOps engineers to extend the functionality of various different CA’s within Kubernetes with just one integration.
Start your free trial today and begin your path to securing your containerized applications and multi-cloud environments.