Kubernetes
Securing access to Kubernetes API and deployments
Kubernetes (often abbreviated as k8s) is a system for managing large numbers of containers in production. It was originally inspired by Google’s production environment and has been adopted into many companies as a useful way to manage and scale deployments.
While Kubernetes is excellent for deployments and comes with its own role-based access controls (RBAC), organizations often struggle with provisioning fine-grained access control to the API server. This matters because the Kubernetes API server functions as the central management entity and gateway for all components in a Kubernetes cluster. Not only does it process and handle requests (often through a kubectl
), it also maintains the desired state specified by users, making it a desirable target of access for hackers or malicious insiders.
Companies solve this with Pomerium to add zero trust fine-grained access control to clusters themselves.
Currently, many organizations grant access to Kubernetes by having the user tunnel through the network perimeter to access a bastion host, then from there SSH port-forward to the API server (often through kubectl).
The user access flow can be boiled down to this:
The User logs in via the VPN client. This is where authentication and authorization is checked.
The User now can reach the bastion host inside the VPC. The bastion host acts as a simple reverse proxy with access to the internal IP addresses of the Kubernetes API servers.
The bastion host itself has been configured with the necessary roles and permissions to access the Kubernetes API servers.
Firewall rules allow users to SSH access to the bastion host, and allow for the bastion host to communicate with the API servers.
The Users can now use SSH port-forwarding through the bastion host to access any reachable Kubernetes API servers
The Kubernetes Role Based Access Control (RBAC) is a key security control mechanism for the Kubernetes API server to provision least privilege access. However, this entire setup before reaching the kubectl — Steps 1 to 3, from the VPN client to the bastion host — exists because integrating with other systems is out of scope for the Kubernetes API server.
This is a well-known system, but it has certain demerits:
Overprovisioned access may result in privilege abuse: Organizations often don’t want their users to be unproductive while waiting for access, they tend to shift towards giving more access than necessary. This happens even when the organization originally started off with least privilege access best practices; in the end, productivity has been prioritized and users or roles gain more access over time. Finally, granted permissions are often difficult to remove for various reasons.
Unfettered lateral movement: This architecture falls firmly into the Perimeter Problem: once a user has tunneled to reach the bastion host, they have unlimited access to any cluster reachable from the bastion host. In this above case, the user would have access to the control planes for both Clusters A and B.
Lacks continuous verification: User access is session-based, meaning there is little to no security measures in place once a user gains access. While it’s possible to inspect traffic, it is almost never done due to the increased lift and complications of inspecting this traffic. As a result, companies cannot prevent bad actions before they happen.
Lack of contextual awareness: The RBAC system is identity-aware but not context-aware. The modern threat landscape should assume compromised credentials and malicious insiders, meaning the context surrounding access requests should be considered. This includes details such as the time of day, geo-location, application state, devices, and more, which the built-in Kubernetes access controls do not consider.
This setup exists because the Kubernetes API server doesn’t integrate well with other systems for authenticating human access. We solve this by extending the server’s capabilities with a reverse proxy which can integrate with missing features.
We solve these problems by extending the server’s capabilities with a reverse proxy which can integrate with missing features. Pomerium acts as a reverse proxy for Kubernetes like any other upstream service to add zero trust access controls.
This might look like the previous iteration with just one removed hop, but the connections and brokered access are quite different. Pomerium is a reverse proxy with Kubernetes-specific logic, making it an ideal solution for integrating the Kubernetes API server as an upstream service.
The improved setup allows the API server to benefit from the Pomerium difference.
Pomerium improves upon Kubernetes’ native RBAC controls with more fine-grained access controls.
Instead, companies can set up groups with restricted permissions in Pomerium and assign users to these groups to achieve Privileged Access Management-style access controls for all users, not just super users.
Roles and permissions can be over-permissive and result in privilege abuse or escalation. OIDC providers may not provide group claims, requiring manual mappings to RBAC roles and permissions.
Pomerium enforces authentication, authorization, and context-awareness on each individual request.
Tunneling solutions are limited to enforcing those same checks at the start of a session. Pomerium can deny or shut down the next incoming request if it doesn’t comply with the company’s security
The Pomerium proxy knows which cluster a user should have access to. It does not grant access to any other clusters.
The bastion host only functions as a hub for facilitating access and does not do authorization checks on said access. As a result, users able to reach the bastion host have unlimited access to each cluster.
Pomerium provides comprehensive audit logs as a result of verifying each individual user action.
Some companies utilize session recording, which is inherently problematic to search through. Conversely, Pomerium’s logs are simple to search through and tagged for easy audits.
While Kubernetes supports native audit logging, it has practical challenges in certain cloud ecosystems where the tooling is limited. Additionally, cross-cluster and cross-service audit trails must be manually stitched together by practitioners.
Pomerium allows for easy integration with other tools such as identity providers, mobile device management, and more.
Offloading that burden to Pomerium enables teams to easily add critical integrations to their Kubernetes API without needing to conjure up complicated.
Kubernetes offers limited native support for third-party integrations, making it difficult for companies to achieve the correct level of access control they want.
Developers can add Pomerium's access control and deploy to production with full confidence that the company's security policies are being enforced.
Company
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.