Maximize Cloud Security Efficiency with Integrated Kubernetes Access Control Management
Maximize Cloud Security Efficiency with Integrated Kubernetes Access Control Management
“Accessing Kubernetes is the first step of cloud native security.”
When creating or working with cloud-native applications, most people use 'Kubernetes'. According to last year's CNCF report, over 70% of companies worldwide are using Kubernetes, and its usage has been increasing every year. Along with the increasing amount of sensitive data in this platform, the motivation for attackers to exploit it is also growing. The problem is that managing data in Kubernetes clusters is a challenging area in terms of visibility and stability. If it is possible to integrate and control the data on a Kubernetes cluster, wouldn't it greatly improve the security posture of Kubernetes?
QueryPie KAC (K8S Access Control) started right here.
QueryPie is a Cloud Data Protection Platform (CDPP) that handles access control for various data in cloud environments. It enables access control for data storage used in cloud environments, ranging from traditional RDB to Hadoop, NoSQL, and MemoryDB. It provides DAC that allows access control for data storage used in cloud environments and SAC that allows access control for physical/VM servers where data is stored, processed, and transmitted.
However, in recent times, flexible container orchestration systems like Kubernetes (k8s) are widely used in the cloud. In k8s, all resources are abstracted and exist, making it difficult to track individual resources compared to virtual machines. Additionally, each cluster has different configurations such as namespaces, so administrators need to set access controls for resources for each cluster. Furthermore, since access to resources is done through the k8s API instead of the SSH protocol, a separate access control system is required, different from SAC.
In this situation, the concept of Kubernetes Access Control (KAC) emerges. KAC is a management approach that allows for the management of numerous clusters, from role-based access control for k8s users to integrated audit logging, all in one place.?
QueryPie KAC 4 Key Features
Before delving into the features of KAC, it is easier to understand if you know its strengths. KAC has all the advantages of existing DAC and SAC, and in addition, it has specialized features for k8s.
1.Role Based Access Control
One of the first points is that Role-based Access Control is possible. K8S has an RBAC system, and to set up RBAC, each cluster needs to be configured and cluster access permissions are required.
In KAC, there is a separate integrated RBAC system for individual K8S, and role settings for multiple clusters can be done in one QueryPie console. In addition, it is easy to manage access restrictions by simply mapping User/Group synchronized from the IDP to roles with a simple click.?
领英推荐
Furthermore, KAC allows for 'wildcard' settings for resources, making it easy to correspond to changing resource names (such as pods). Since direct control over roles is possible in KAC, it can filter and respond only with results that are included in the user's permissions, even for requests such as 'retrieve all pods'.?
2.Automatic Access Permission Acquisition
The second point is that admin access to synchronized k8s is automatically granted. In the existing DAC, user and password were required for DB access. Similarly, authentication is required to access the k8s cluster.
However, in KAC, admin access permissions are automatically registered using the AWS API. Administrators only need to assign IAM permissions when registering KAC providers. After that, user permissions can be adjusted through the RBAC system.?
3.Audit Logging & Session Recording
The third is the integrated verification of user actions and real-time session monitoring. k8s allows Audit Logging for the k8s API. However, the k8s API Audit Log logs not only actions performed by individual users who connect, but also all requests made within k8s. Therefore, it is not easy to determine the actions of individual users connected to the idp from the Audit Log. Even when accessing the shell of a pod through the exec command, it is not possible to know what commands the user is executing. In KAC, Audit Logging is performed through a proxy, allowing logging to be done regardless of the k8s API Audit Log. This allows for the integrated verification of actions performed by users across multiple clusters. If desired, separate settings can also be made for the k8s API Audit Log according to the customer's preferences. Furthermore, when accessing the shell of a pod through the exec command, Session Recording can be used to thoroughly monitor user actions.?
4. Kubeconfig Auto-configuration (w/ Agent)
Finally, it is the automatic generation of access permissions. Users had to individually configure the cluster in order to access the existing k8s cluster. Even in the case of using AWS, you had to register the profile for each cluster directly using aws cli.?
However, with QueryPie Agent, access permissions based on roles for the clusters set by the administrator are automatically generated. QueryPie Agent creates a ‘kubeconfig’ based on the k8s clusters that the user can access, and the user only needs to select the cluster they want to connect to.?
Kubernetes is designed to maximize developers' flexibility and agility. Even if access control for physical servers or VMs is successful, if access control for the Kubernetes running on top of them is not possible, it would be like putting up a barrier. However, it is not easy to handle abstract and dynamic resources. 'QueryPie KAC' focuses on this aspect and has developed a solution that can increase security levels without compromising on security while enjoying the efficiency of k8s.
We will arrange an occasion where you can learn more about the actual KAC demo next time. Thank you. ??