Using Kubernetes Plugins for Better Security
Extending and Sustaining Container Security
The ability to build exceptional and industry-standard container orchestrations with the power of extensibility makes Kubernetes one of the finest and most commendable tools. Extensibility is a perspective that arises from the desire to add and contribute more to existing systems to offer better and more secure functionalities.
By design, Kubernetes supports custom configurations and use-case-specific attributes by eliminating the need to apply patches to underlying features. Plugins are the means to extend Kubernetes features and deliver out-of-the-box offerings.
Securing Kubernetes pods brings RBAC, updated K8s, firewalls, isolated pods, and the Kubernetes admission controller to mind. Although, the present features are viable choices, plugins present a trustworthy and more succinct methodology for securing containers in Kubernetes.
Kubernetes plugins bring countless security benefits to the platform: the functionalities get developed on the fly in your language of choice.
What Do Plugins Offer that Makes them Elegant and Pragmatic?
Kubernetes continually evolved into a conjoined ecosystem in itself. By integrating, refactoring, and customizing most sort-after features in DevOps, Kubernetes now has almost everything.
But, Kubernetes features fall short in cases where the business wants to achieve out-of-scope functions and the need to implement custom operations arises. While custom implementation is a better possibility, it’s not always a secure one.
Consider the scenario where our implementation needs to ssh into a running pod on the cloud, say GKE or AWS EKS, without compromising the security. How would we access certificates from multiple certificate issuers and renew or print them securely?
With the rise of distributed and cloud agnostic adoption, the need and demand for custom features skyrocketed.
An optimal and calculated decision from a functionality and security standpoint is to leverage plugins. Plugins are extensions to Kubernetes that are well-architected and developed with security in mind. Kubernetes has extended its support by integrating numerous trustworthy plugins.
Different Ways to Extend Security Measures Using Plugins
Admission Controller Plugin
Submitting requests to alter the state of clusters or objects is a general operation. Filtering which request should make it to the API server enhances security.
Assessing admission controllers can be very lucrative and advantageous for security. They offer exclusive governing and gating capabilities.
Admission controller plugins act as a gateway to authenticate and authorize requests to the API server by intercepting them before persisting with objects. The plugin code resides in the API server and must get compiled into the binary before it can be used.
The plugin can mutate and validate incoming requests and sometimes apply system-configured defaults before allowing them into the API server.
--admission-control=MutatingAdmissionWebhook, DenyEscalatingExecThe KubeAPI flag allows users to enable the admission controller plugin.
The plugin accepts a comma-delimited and ordered list of admission control options before modifications in the cluster.
RBAC Plugin
Distribution and cataloging are at the core of Kubernetes. Clusters reside on remote servers and are accessible via Kubectl/gRPC. Managing and restricting access via policies is key to boosting privacy and security.
RBAC plugins permit admins to devise a mechanism for setting and managing user permissions based on roles. The roles can range from global, item, node, or user-defined levels.
Kubectl is a platform that sets RBAC, and describes and amends objects.
--authorization-mode=node,RBAC — policiesThe KubeAPI flag — authorization-mode allows configuring roles.
An authorization strategy and configuration lists are necessary for implementing RBAC.
Container Network Interface Plugins
Over the network, securing communication protocols between the clusters is vital. To eliminate the complexity, Kubernetes manages the mapping of container ports to host ports and assigns a unique cluster-wide IP address for every pod in the cluster, resulting in a backward-compatible lineage.
CNI is a cloud-native foundation offering libraries with dedicated specifications for developing plugins to configure network interfaces.
CNI repository holds numerous plugins. Plugins that fall under the CNI umbrella follow security guidelines and are concerned with container network connectivity. The plugins fulfill the job using scripts.
Note: CNI plugins are language-agnostic. Leveraging the plugin functionality is supported through go lang.
Third-Party Plugins
Kubernetes’ broadly useful and reliable command line tool kubectl supports a plugin manager KREW that offers developers a robust option to develop and host use-case-specific plugins.
KREW showcases flexibility in selecting the language of choice for plugin development. Installation and implementation of plugins using Kubectl are straightforward. These plugins reside in a centralized repository named Krew-index.
Plugins are trustworthy as the plugins are accepted on a decision-criteria to the centralized repository and evaluated on a case-by-case basis by the community.
The highlighted plugins are general and highly recommended. The Kubernetes ecosystem offers a sea of custom and inbuilt options to extend your cluster capabilities and security.
Conclusion
Security is a prime aspect to consider before deploying and orchestrating Kubernetes clusters. Plugins offer reliable and secure ways of attaining advanced capabilities.
Kubernetes plugins are nothing but executables developed to accomplish a specific task related to dedicated K8s components, such as admission controllers, RBAC, handling certificates from multiple issuers, ssh into the cloud, network connectivity, and more.
A wide range of plugins is available in the market by organizations. Multiple plugins exist to accomplish the same task but offer distinct functionalities and security. Picking/developing the right plugin is the admin’s task.
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!
