►
From YouTube: Securing Access to Kubernetes Infrastructure with Kubernetes Zero Trust Principles - Mohan Atreya
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Securing Access to Kubernetes Infrastructure with Kubernetes Zero Trust Principles - Mohan Atreya, Rafay Systems
As a Kubernetes footprint expands through a number of development and production clusters – spread across on-premises data centers, multiple public cloud providers, and edge locations – it shouldn’t be a surprise that complexity leads to challenges. When it comes to ensuring Kubernetes security and controlling access to clusters, limited standards and shared practices are creating a “wild west” scenario. Many organizations have multiple clusters in multiple locations—often running different distributions with different management interfaces—and teams of developers, operators, contractors, and partners who need varying levels of access. If your team is deploying Kubernetes in production, you have to do everything possible to ensure access security. In this presentation, we’ll review how to apply Kubernetes zero trust principles to enable controlled, audited cluster access for developers, SREs and automation systems to a Kubernetes infrastructure.
A
Thank
you
Jeremy
for
the
keynote
I'd
like
to
take
a
brief
moment
to
thank
our
amazing
sponsors
without
their
support.
This
security
con
would
not
be
possible,
so
thank
you
to
Red
Hat,
sisdig,
Optics
and
VMware
tanzu
for
being
our
Diamond
sponsors
and
also
thank
you
to
apiro
for
being
a
platinum
sponsor
with
that.
We
are
ready
to
begin
the
General
Sessions
for
the
day
and
first
here
we
have
Mohan
atriya
from
Rafael
systems.
Mohan
will
be
talking
about
securing
the
kubernetes
infrastructure
using
kubernetes,
zero
trust
principles,
Mohan.
B
Thank
you
am
I,
am
I
Audible.
Thank
you
good
morning.
Everyone
great
to
see
so
many
people
here
so
I
I'm
going
to
talk
about
a
pretty
interesting
area.
This
is
this
has
been
something
that
we
see
a
lot
of
users
attempting
now
when
it
comes
to
kubernetes
and
I
hope,
I
hope
at
the
end
of
it,
you'll
walk
out
with
some
interesting
insights,
and
if
you
have
some
questions
after
the
session
I'll
be
around.
B
A
lot
of
you
here
are
very
technical,
but
there's
a
vast
majority
of
people
out
on
the
out
in
the
world
who
use
kubernetes
a
little
differently
if
you've
seen
some
of
the
reports
recently
like
from
Shadow
server,
there's
nearly
380
000
kubernetes
clusters
open
on
the
internet.
Think
about
that
open
on
the
internet
right,
that's
not
good,
and
we
kind
of
play
in
this
space,
so
we've
been
kind
of
talking
to
people.
B
Why
do
you
do
this
and
a
lot
of
people
say
it's
just
too
hard
if
I
have
to
go
another
way,
go
through
a
secure
tunnel,
or
something
like
that.
So
with
this
backdrop
of
why
so
many
people
are
out
there
with
open
kubernetes
clusters
on
the
internet,
I
mean
think
about
it.
Your
API
server
is
the
way
by
which
you
interact
with
your
clusters,
right
like
as
a
user,
it's
open
on
the
internet.
Anyone
can
touch
it,
not
good
right.
B
So
we
ask
people,
what
do
you
do
typically
right
and
then
maybe
there's
a
better
approach,
so
what
people
are
typically
done,
and
this
must
be
very
familiar
for
you
if
you've
been
in
the
in
the
industry
for
a
while
they
put
up
a
Bastion.
If
you
go
to
a
security
team,
they
probably
will
say,
maybe
you
should
use
Sebastian
right.
Kubernetes
is
new
to
them.
So
what
did
they?
Do?
They
go
set
up
a
Bastion.
B
There's
a
you
know,
you'll
end
up
doing
a
cue
cuddle
right
from
the
Bastion
onto
your
clusters
in
in
your
VPC
or
something
else,
and
now
you
have
a
problem.
The
problem
is
well,
there
are
two
problems.
First
is
from
that
Bastion.
You
can
see
everything
in
that
VPC
all
right
if
I'm
an
attacker,
that's
a
juicy
Target
right
and
number
two
me
and
my
colleague
getting
out
of
the
Bastion
using
the
same
Cube
config,
most
likely
right.
So
that's
not
good.
B
Now
you
can't
tell
who
did
what
so
this
turns
out
to
be
a
problem.
Okay
way
to
start
you'll
end
up
having
problems.
The
second
thing
that
people
do:
is
they
land
up
saying?
Well,
this
Bastion
thing
is
not
working
for
me.
Maybe
I'll
put
up
a
jump
host
in
front
of
it
right,
I
put
up
a
jump
hose
now.
The
user
or
the
developer
in
this
case
is
really
really
ticked
off,
because
now
you're
asking
the
user
to
go
through
two
jumps
right
now.
B
You
may
you
may
start
thinking
here
at
this
point
of
time.
Some
you
know
gears
are
probably
churning
in
your
head
you're
thinking.
How
is
this
any
different
from
VMS
you've
done
this
for
VMS
for
hundreds
of
years?
Why
is
so
painful?
The
problem
is
in
the
old
monolithic
world,
the
typically
the
only
person
doing
this
was
the
Ops
person
right
in
the
kubernetes
world
is
every
developer.
B
When
you
have
100
micro,
Services,
the
poor,
Ops
guy,
doesn't
know
which
broke
what
broke
where
so
many
developers
access
right
to
help
out
when
you
want
to
resolve
issues
ETC.
So
when
you
have
hundreds
of
users
attempting
to
do
this,
you're
on
a
real,
real
painful
situation
right.
This
is
what
people
encounter
in
real
life.
B
The
last
thing
that
we
see
people
do.
Is
they
plonk
a
VPN
in
front,
not
bad
right,
except
if
you
can
afford
it,
these
vpns
do
cost
a
lot
of
money,
and
if
you
have
three
four
data,
centers
I
mean
it's
game
over
from
a
budget
perspective
right,
you
have
so
many
VPN
concentrators,
but
the
good
thing
is
now:
every
user
is
using
their
own
cubeconfig
and
they
doing
it
right
from
their
laptop
life
is
a
little
better
right.
More
secure.
B
A
B
Now,
let's
talk
about
the
second,
actually
a
very
important
aspect:
if
I'm
accessing
kubernetes
not
have
some
kind
of
operation,
a
developer,
I
have
the
same
kind
of
access
administered.
That's
a
no
cluster-wide
privilege.
Every
developer
came
over
what
people
do
end
up.
Having,
for
example,
stand
up
saying
that
hey
are
all
the
Developers
of
this
application.
An
Acme
name
have
to
be
in
the
Acme
namespace.
B
B
So
I'll
just
go
back
to
that
previous
slide
for
like
two
seconds,
so
the
The
quick
summary
there
is
there's
something
called
rbac
or
role-based
Access
Control
in
kubernetes
really
important
for
you
to
understand
that,
because
you
do
not
want
every
developer,
who
does
not
need
access
to
the
entire
cluster?
You
want
to
make
sure
you
use
our
back
so
that
they
can
only
see
what
they
want
to
see
really
really
important.
B
So
now
what
happens
at
scale?
Now
we
have
one
user
or
maybe
one
cluster,
not
a
big
problem
right.
You
can
do
all
of
this
manually.
What
we
see,
customers
struggle
with
and
users
struggle
with,
is
when
you
have
tens
or
hundreds
of
clusters
and
typically
like
when
I
talk
about
microservices.
When
you
have
hundreds
of
micro
Services,
you
have
hundreds
of
developers
who
constantly
move
from
one
theme
to
another.
Now
your
problem
is
magnified.
You
have
hundreds
of
users,
hundreds
of
developers,
and
you
have
many
many
clusters
now.
B
B
So,
let's
look
at
this
from
maybe
a
requirements
perspective
if
I'm
a
if
I'm
an
operations,
person
and
I
have
hundreds
of
developers
that
need
to
access
stuff
and
I
need
to
support
tens
and
hundreds
of
clusters
running
in
data
centers
in
many
many
regions
in
Amazon
Etc.
The
first
thing
I
need
to
do
is
I
cannot
afford
to
put
my
clusters
open
on
the
internet.
That's
I
mean
everyone
agrees
to
that.
B
The
next
thing
I
need
to
do
is
make
sure
that
I
don't
put
my
developers
through
this
complicated,
Bastion
or
VPN
based
user
experience,
which
everyone
hates
right.
None
of
us
like
that
experience,
so
what
you
really
really
need
is
to
leverage
what's
been
out
in
the
market
for
tens
of
years,
I
mean
if,
if
folks
have
heard
about
companies
like
zscaler
and
all
these
companies,
they've
been
like
very
pervasive.
They
all
do
this,
but
for
web
applications.
Why
not
for
cube
CTL?
B
Why
not
for
cube
API,
after
all,
runs
on
https
right,
so
the
first
thing
you
need
is
a
way
by
which
you
can
access
these
clusters,
even
though
the
Clusters
are
cloaked
behind
a
firewall.
Can
you
do
that
yeah
if
you
can
do
that
with
zscaler?
Why
not?
The
next
thing
you
want
to
do?
Is
you
don't
want
this
R
back
to
be
permanently
injected
inside
the
cluster?
You
want
to
do
that
dynamically
just
in
time.
Why
is
that
really
important?
B
B
All
user
access
need
to
be
strongly
authenticated,
given
right
and
then.
Finally,
this
is
a
question
that
people
struggle
with
from
a
governance
and
compliance.
If
I
come
and
ask
you
hey,
what
are
the
cube,
CTL
commands
are
ran
against
my
cluster,
or
rather
Johnny
Ransom
commands
yesterday.
What
did
he
run?
People
have
no
idea
right,
there's
no
way
to
reconstruct
that.
What
if
there
was
right.
B
B
It's
actually
based
on
something
we
noticed
about
three
years
ago
in
the
market.
You
know
about
three
years
ago.
You
know
we
all
started
working
from
home,
because
if
the
pandemic
right-
and
we
had
coincidentally
introduced
a
zero
trust
access
capability
in
our
platform
and
that
took
off
like
a
rocket
ship,
I
don't
have
the
charts
here
the
show.
But
you
know
it
was
almost
like.
You
know
a
curve
like
that,
and
it's
because
people
are
working
from
home.
B
Everyone
hated
vpns,
no
one
who
wanted
bastions,
and
everyone
wanted
instant
access
to
the
Clusters.
So
you're
going
to
see
that
in
action
with
this
open
source,
offering
we
open
sourced
it,
because
we
felt
that
it's
really
important
for
the
industry
to
kind
of
move.
A
couple
of
notches
up
from
a
security
perspective.
Right,
like
everybody,
should
be
able
to
do
this.
You
should
not
be
requiring
a
commercial
offering
to
do
this.
So,
let's,
let's
talk
a
little
bit
about
parallels,
is
open
source
Apache
license,
so
you
can
pull
it
down
and.
A
B
It
right
and
if
you
are
using
something
like
digitalocean,
you
have
a
one-click
experience.
Just
go
there,
search
for
parallels
click
it
install
it
use
it.
Please
participate
in
the
community
right
like
we
would
love
to
see
how
we
can
improve
this.
We
love
to
have
contributors
and
then,
like
you
guys,
are
all
you
know
pretty
aware
of
how
the
community
is
so
important
to
make
sure
this.
This
projects
are
successful,
so
help
us
out.
Let's
make
the
industry
more
secure,
try
and
participate
in
this
project.
B
So
how
does
this
work
now?
You
kind
of
heard
about
the
zero
trust.
Let
me
kind
of
show
you
architecturally,
then
I'll
show
you
a
live
demo,
I'm
sure
it'll
blow
your
mind
right.
So
the
first
thing
you
have
is
you
have
the
access
manager,
panelist
access
manager?
This
is
a
proxy.
It's
a
cube,
CTL
proxy
or
cube
API
proxy
on
the
internet
right.
B
It's
got
these
an
agent
running
on
every
one
of
your
clusters
and
notice.
The
arrow
is
out
outbound
right.
The
agent
dials
out
on
Port
443
from
your
clusters
behind
firewalls
to
the
perilous
access
manager
and
runs
a
long
running
control,
plane
session
right.
It's
a
it's,
essentially
keeping
it
alive.
The
connection
now,
when
the
developer,
who
is
sitting
at
home,
can
access
the
perilous
access
server.
They
don't
know
any
different,
they
get
a
cube
config,
they
say:
Cube
CTL
get
namespace
or
something
like
that
right.
B
They
don't
know
if
they're
touching
perilous
or
the
end
cluster,
they
don't
need
to
know
they're
hitting
the
proxy
right
and
the
proxy
authenticates
them
it's.
A
two-way
Authentication
with
digital
certificates
is
very
strongly
authenticated.
Of
course
everything
is
encrypted.
It's
https
right
and
not
only
that
anything.
The
user
types
is
now
audited
right.
So
if
I
type
some
funky
commands,
you
can
reconstruct
the
whole
set.
B
And
from
a
compliance
and
governance
perspective,
this
is
really
important
right
and
once
that
authentication
is
complete,
it's
just
basically
on
The
Wire.
The
commands
are
flying
back
and
forth
between
the
client
and
the
server
now
before
that,
the
downstream
APS
server
at
this
time
has
no
idea
who
you
are.
It
has
no
R
back
for
you
on
that
cluster.
B
So
remember
at
step
two,
when
the
user
authenticated
with
the
perilous
access
manager
they're
also
indicating
I
want
to
access
the
cluster
on
the
top
and
our
back
is
generated
on
the
Fly
and
a
service
account
is
injected
into
that
cluster
right.
This
is
all
happening
in
milliseconds,
right,
milliseconds
or
microseconds
right.
B
So
the
API
server
is
the
one.
That's
actually
controlling
everything
behind
the
scenes.
Perilous
here
is
nothing
more
than
the
main
gatekeeper.
It's
just
an
access
proxy.
That's
pretty
much
it!
It's
access
proxy
authenticating,
you
generating
the
r
back,
injecting
the
service
account
on
that
cluster
sounds
fascinating,
right,
I'm!
Sure
you
guys
want
to
see
a
very
quick
demo
of
that
I'll
I'll!
Do
that
right
now
right!
B
So,
let's
see
that.
So
what
what
you're
going
to
see
here
is
I
have
the
perilous
access
manager
setup
it's
running
in
New
York
in
digitalocean,
right
I'm.
Now
here
in
in
Detroit,
and
hopefully
my
internet
will
work
and
you'll
see
me
attempt
to
run
a
cube.
Ctl
command
and
I
can
run
this
against
three
clusters.
B
What
I've
done
is
like
I've
simulated,
a
typical
environment,
any
small
company
would
have
a
Dev
environment,
a
staging
cluster,
a
production
cluster
right,
and
what
I'm
going
to
do
here
is
I'm,
going
to
show
you
if
I
log
in
as
an
Ops
person
I,
can
see
everything,
because
that's
what
my
access
rules
are
and
I'll
have
cluster
white
privileges,
but
if
a
login
as
a
developer,
I
will
not
have
access
to
production,
because
that's
the
rule
I
set
up
here
right
now.
This
should
be
like
easy
right
like
how
do
you
do
that?
B
Is
going
to
be
complicated
because
I'm
holding
the
mic
and
doing
this
at
the
same
time,
so
this
is
a
perilous
access
server.
So
what
you're
seeing
here
are
three
projects:
I,
have
a
Dev
project,
a
prod
project
and
a
staging
project
inside
that
I
have
a
cluster
a
Dev
cluster
and
if
I
want
a
cube
CTL
do
it
I
mean
I,
don't
know
where
it's
running,
I
don't
need
to
know
and
I
can
say:
hey
get
namespace
and
I
get
the
thing.
Now.
The
key.
B
A
B
Yeah
there's
also
autocomplete
thank
God.
So
when
you
go
look
at
that
and
if
you
look
at
this
service
account
for
this
user,
it
was
generated
about
two
hours
ago
when
I
was
just
practicing
and
rehearsing
for
this
demo.
Now
what
I'll
do
is
I'll
log
in
as
an
Ops
version
and
we'll
see
this
being
generated
live
right.
B
So
what
I'm
going
to
do
now
is
going
to
log
in
as
an
Ops
person
I'm
going
to
authenticate
as
John
right
and
if
you
look
at
John,
the
the
company,
the
Central
Access
manager
said
John
has
access
because
he
belongs
to
the
Ops
group.
I
have
access
to
the
dev,
prod
and
staging
this
mapping
is
done
automatically
based
on
my
group.
B
Membership
right,
then
I
go
into
prod
and
I'll
do
the
same
thing
and
I'm
hitting
the
same
cluster
and
if
I
look
for
the
same
thing,
which
is
a
secret
service,
account
minus
n
perilous
system
you'll
see
that
Ops
John
this
email
just
10
seconds
ago.
The
service
account
was
dynamically
created
on
that
cluster
right
just
10
seconds
ago,
and
when
I
log
out
that
service
account
will
be
flushed,
which
means
nobody
has
keys
to
the
kingdom
all
the
time.
Every
time
I
access
I
need
to
authenticate
really
important.
B
B
Now,
let's
log
in
as
the
dev
all
right,
so
I'm
going
to
log
in
as
Sally
Sally
is
a
Dev
in
this
company
and
when
Sally
logs
in
remember
Sally,
because
she
belongs
to
the
developer
group,
the
company
had
decided
Sally
and
developers
don't
have
access
to
the
production
environment.
So,
as
you
can
see
here,
there's
only
Dev
and
staging
clusters
visible
now,
Sally
also
Belongs
to
Only
One
namespace
called
Apple
right.
There's
a
namespace
called
apple
on
the
cluster.
She
only
has
access
to
that.
B
Let's
see
if
Sally
attempts
something
smart
and
attempts
to
see
anything
more
what
happens,
but
before
that,
let's
see
you
know,
I'm
just
going
to
try
typing
in
you
know,
I'm
listing
all
my
pods
in
my
Apple
namespace
everything
looks
good
now
Sally
says
you
know
what
I
really
am
curious.
I
want
to
see
who
else
is
running?
What
on
this
cluster
and
I
type
A
get
namespace
and
you
notice
access
is
forbidden?
B
Why
is
this
forbidden
because
the
r
back
for
Sally
that
was
injected
under
that
cluster
is
constrained
down
to
the
Apple
namespace,
so
you
can
only
see
the
Apple
namespace,
nothing
more
right.
Imagine
doing
this
for
hundreds
of
developers
who
are
constantly
moving
from
group
to
group
or
hundreds
of
operations,
people
everything
is
automatic
right.
You
add
people
to
the
right
group.
Our
back
follows
them
right,
that's
the
power
of
Parallels
for
you.
B
So
if
you
remember,
as
a
user,
I
was
typing
a
bunch
of
things
as
a
company,
if
I'm
an
auditor
I
can
go
in
and
look
at
every
command
that
was
run
by
without
a
Sally
here
or
John
here
or
the
admin
here.
Whatever
I
did,
everything
can
be
tracked
right.
So,
from
a
governance
perspective,
people
can
rewind
back
and
say
this
person
did
this.
These
are
the
sequencer
commands.
What
I
see
users
tell
me
now
on
forums
is
fascinating.
We
initially
built
this
assuming
they
will
use
it
for
security
purposes.
B
What
people
are
saying
is
they're
using
this
to
automate
run
books.
Now,
like
you
know,
this
is
really
sharp
engineer.
Who
knows
how
to
run
the
cube
cuddle
commands
in
a
certain
sequence?
They
capture
that
and
say
I'm
going
to
bottle
this
up
and
I'm
going
to
use.
Have
other
people
follow
the
same.
Sequencer
commands
so
very
fascinating,
set
of
feedback
from
organizations.
B
We
encourage
everyone
in
the
industry
to
do
three
things.
At
least
three
things.
Please
do
not
put
your
kubernetes
clusters
on
the
internet
cloak
them
make
sure
that
people
have
zero
trust
access,
make
sure
your
developers
get
access
to
your
clusters
from
anywhere
with
the
right.
R
back
make
sure
the
rbac
injection
the
service
account
injection
is
done
dynamically,
which
means
only
right
level
of
access
is
given
at
the
right
time
and
make
sure
you
have
an
audit
trail
of
everything
right
this.
B
This,
in
summary,
would
get
you
to
a
point
where
you're
running
secure
operations
for
your
kubernetes
environments,
I
think
that's
all
I
had
if
there
any
questions
I'll
be
around
at
the
back
or
outside
I'll,
also
be
at
the
booth
Raffia
Booth
later
this
week,
so
stop
by
I
think
we'll
have
something
about
perilous
there.
Thank
you.
C
B
Yeah
yeah
very
good
questions,
so
two
questions
there.
What's
the
stage
of
the
project,
as
you
all
know,
at
cncf
there's
a
there's,
a
pecking
order
right.
You
eventually
want
to
get
to
a
graduated
stage.
We
are
now
in
sandbox
right.
We
submit
it
for
sandbox,
so
we
really
have
been
looking
for
the
community
kind
of
help
us.
You
know
we
need
the
right
kind
of
sponsorship
from
the
community
to
move
up
the
ladder
right
so
help
us
out
there
we're
right
now
in
sandbox,
getting
in
the
sandbox
application
for
sandbox,
we
had
a.
B
We
had
to
climb
up
that
ladder
right.
It
takes
sometimes
years
to
climb
up.
So
that's
the
first
question.
The
second
question
is:
what's
a
performance
hit,
so
there's
typically
a
about
a
when
you
saw
the
whole
thing
in
action.
Right
me,
typing
in
the
command,
as
a
user
is
imperceptible,
but
you
can
measure
it
it's
typically
in
milliseconds,
it's
in
milliseconds
for
the
first
time
when
the
user
is
authenticated
and
the
service
account
is
injected
on
the
downstream
cluster.
B
That's
about
a
millisecond
needed
that
is
to
disorchestrate
that,
but
typically
the
user
never
notices
anything
by
the
time
you
think
about
the
command
you're
going
to
type.
It's
all
done
right
so
and
you
can
run
these
proxies
anywhere
in
the
world.
So
what
we
see
organizations
do
is
say:
hey
I'm,
going
to
run
my
perilous
access
server
closer
to
my
clusters
because
really
comes
down
to
distance.
You
can't
beat
the
loss
of
physics
right.
B
B
Yes,
good
question:
I'll
repeat
it
because
I'm
sure
others
couldn't
hear
so
there
are
twofold
questions.
One
is:
does
the
perilous
access
manager
need
cluster
right
privileges
to
do
its
job,
and
number
two
is:
is
that
a
plan
to
do
a
third
party
pen
test?
The
answer
is
yes
to
both
the
the
third
party
pen,
test
kind
of
happens.
Naturally,
as
part
of
the
cncf
process,
every
project
is
put
through
a
microscope.
Right,
as
it
happens,
I
think
that's
why
we
encourage
every
project
to
go
through
the
cncf.