Lessons learned securing Kubernetes in the cloud
Right up until a short while ago, our worldwide reinsurance organization utilized a classic on-prem infrastructure, relying entirely on our very own components at various disparate knowledge centers unfold around the earth. On the other hand, we recognized that this infrastructure could hold off some of our initiatives that demand additional immediate application growth and more rapidly supply of digital products and solutions and services.
This realization led us to pursue a new cloud infrastructure and new deployment procedures for various workloads that would boost automation, reduce complexity, and help lean and agile operations. In a natural way, security was prime of mind as well. Relocating some of our important workloads from our massive singular network to the cloud, we desired to make certain our new environment could be constantly hardened against possible threats.
Deciding upon a cloud, open source, and Kubernetes
The target for my architecture workforce was to build small network deployments in the cloud whose assets would ultimately be owned by other groups. In this enabler job, we would provide the infrastructural foundation for groups to achieve immediate deployments of progressive purposes and get to market rapidly.
Our organization is a Microsoft shop, so the alternative to build our new cloud infrastructure in Microsoft Azure was apparent. Our subsequent alternative was to shift to microservices-centered purposes, eyeing the options of automation and the two infrastructure as code and security as code.
Whilst our security officers were originally wary of open source alternatives, vetting cloud equipment swiftly led us to the realization that the very best alternatives out there are all open source. (Protection worries around open source, in my look at, are out-of-date. Sturdy systems with sturdy communities powering them are as protected, if not additional so, than proprietary alternatives.) The budgets of the assignments our cloud infrastructure would help had to be factored in as well, incentivizing us absent from proprietary licensing charges and lock-in. This produced our dedication to open source a purely natural alternative.
To orchestrate our microservices infrastructure, my workforce was eager to attempt out Kubernetes. On the other hand, our very first venture concerned do the job for a workforce that insisted on making use of accredited Docker Swarm, a common choice just prior to Kubernetes’s meteoric rise. We concluded the venture making use of Docker Swarm, with the arrangement that we could then experiment with placing Kubernetes to the exact same activity. This comparison plainly proved Kubernetes as the top-quality alternative for our wants. We then applied Kubernetes for all subsequent assignments.
Our Kubernetes cluster architecture in Azure
The Kubernetes clusters we deploy are obtainable making use of real URLs, protected by security certificates. To execute this, our architecture on Azure contains a load balancer and a DNS zone belonging to the venture, KeyVault (an Azure protected strategies store), and storage employing an Azure-native object store. Our architecture also contains a control aircraft inside the cluster, fully handled by Azure. Exterior entry to every single of these components is protected by classic firewalls, strictly restricting entry to only selected whitelisted IP addresses. (By default, entry is limited to our very own network as well.)
Our booster framework, which we use to kick off new assignments, implements various components inside the Kubernetes cluster. An ingress controller opens exterior entry to assets deployed inside the cluster, this kind of as venture microservices. This contains an OAuth proxy that can make positive all ingress is approved by Azure Advertisement. An external DNS server generates the DNS service in the DNS zone. Our strategies controller fetches strategies from the Azure Key Vault (info which should not be saved in the cluster, and should not be lost if the cluster need to be destroyed). An S3 API communicates with knowledge storage sources. A certificate supervisor generates distinctive certificates for TLS entry, in our scenario for cost-free making use of Let us Encrypt.
We also use equipment for checking, logging, and tracing. For checking we leverage the sector standards Prometheus and Grafana. Logging works by using Grafana Loki. Tracing works by using Jaeger. We also tapped Linkerd as our protecting service mesh, which is an optional improvement for Kubernetes deployments.
Kubernetes security visibility and automation
What’s not optional is obtaining a Kubernetes-distinct security alternative in spot. Below we use NeuVector as a Kubernetes-native container security platform for conclusion-to-conclusion application visibility and automated vulnerability management.
When we very first viewed as our method to security in the cloud, equipment for vulnerability scanning and application workload protection stood out as the last line of defense and the most essential to utilize properly. The Kubernetes cluster can facial area assaults by the two ingress and egress publicity and assault chains that escalate inside the environment.
To defend application growth and deployment, each phase of the CI/CD pipeline wants to be repeatedly scanned for important vulnerabilities or misconfigurations (as a result NeuVector), from the establish period all the way by to generation. Programs need to have to be protected from container exploits, zero-day assaults, and insider threats. Kubernetes itself is also an assault focus on, with important vulnerabilities disclosed in current many years.
An helpful Kubernetes security instrument need to be ready to visualize and instantly validate the protection of all connections inside the Kubernetes environment, and block all unpredicted routines. You also need to have to be ready to outline guidelines to whitelist envisioned communication inside the Kubernetes environment, and to flag or block irregular conduct. With these operate-time protections, even if an attacker breaks into the Kubernetes environment and starts off a destructive process, that process will be promptly and instantly blocked prior to wreaking havoc.
The value of infrastructure as code
Our Kubernetes deployments leverage infrastructure as code (IaC), which means that each part of our architecture pointed out earlier mentioned can be designed and recreated making use of very simple YAML information. IaC allows crucial regularity and reproducibility across our assignments and clusters. For instance, if a cluster wants to be destroyed for any rationale, or you want to introduce a modify, you can merely destroy the cluster, utilize any adjustments, and redeploy it. IaC is also practical for receiving begun with standing up growth and generation clusters, which use numerous of the exact same settings and then have to have only very simple value adjustments to comprehensive.
Importantly, IaC also allows auditing of all adjustments applied to our cluster. Individuals are all way too vulnerable to problems and misconfigurations. This is why we have automation. Automation can make our protected deployments reproduceable.
The value of security as code
For the exact same good reasons, automation and security as code (SaC) are also crucial to placing up our Kubernetes security protections. Your Kubernetes security instrument of alternative must make it doable to leverage customized useful resource definitions (CRDs), objects you upload to the cluster as YAML information to conveniently apply and control security guidelines. Just as IaC makes sure regularity and reliability for infrastructure, SaC makes sure that advanced firewalls and security services will be executed properly. The ability to introduce and reproduce security protections as code eradicates problems and drastically enhances usefulness.
What’s subsequent
Wanting into the potential of our Kubernetes infrastructure, we intend to embrace GitOps for deploying our framework, with Flux as a possible deployment agent. We also plan to use Gatekeeper to combine Open Plan Agent with Kubernetes, featuring coverage control above approved container development, privileged containers, and so on.
For any organization starting to examine the possible of the cloud and Kubernetes, I really advocate investigating equivalent architecture and security selections to those I’ve outlined below, specially when it will come to automation and utilizing infrastructure as code and security as code. Doing so must provide an less complicated highway to efficiently leveraging Kubernetes and harnessing its numerous benefits.
Karl-Heinz Prommer is specialized architect at Munich Re.
—
New Tech Discussion board delivers a venue to examine and discuss rising company technology in unparalleled depth and breadth. The collection is subjective, centered on our decide of the systems we think to be essential and of finest curiosity to InfoWorld visitors. InfoWorld does not settle for marketing and advertising collateral for publication and reserves the suitable to edit all contributed information. Mail all inquiries to [email protected].
Copyright © 2021 IDG Communications, Inc.