Leverage Zero Trust for your Kubernetes Ingress Controllers
J. Hunter Hawke
I’m here today to show you how simple, straight-forward, and refreshing it can be to automate the processes behind “Zero Trust” in your Kubernetes Ingress Controllers.
Before I go into detail about Zero-Trust deployments, Kubernetes, and a whole bunch of other buzz words, I have to admit an important truth that I’ve recently come to terms with... managing Kubernetes is hard. More importantly, securing Kubernetes workloads is hard. For me it’s been easier to live in the peace and quiet of traditional, enterprisey VM security. While I’d occasionally worked with other container solutions, you wouldn’t find me within fifty feet of a Kubernetes cluster if my life depended on it.
When I joined Smallstep, I leapt into the world of encryption systems and with it, came the wonderful world of securing Kubernetes workloads. Having survived my month of deploying and tearing down countless development clusters, installing deployments into the wrong namespaces, mangling DNS, tripping over Cluster Roles vs ClusterRoles vs ClusterBindings vs RoleBindings, and slamming my head against my workstation just a little too hard, I’ve made it out the other side mostly unscathed and only slightly questioning my life’s decisions.
Kubernetes can be a complicated monolith of a beast, and there are a lot of concepts to learn and practice before one really knows what they’re doing. It can become even more difficult to secure this workload while wrangling the other moving pieces of your cluster. Regardless of the network hierarchy and policies in place, automating security by design will always make your cluster’s workload safer and more reliable. This is where using certificates to handle “Zero Trust” comes into play.
Zero Trust or BeyondProd approaches require authenticated and encrypted communications everywhere. For the TLS protocol powering your encryption, you’ll need to use certificates, a powerful and sustainable alternative to other authentication methods. As a cloud security practitioner, I found this concept really attractive. However, these principals are almost impossible to follow without succinct tooling and powerful services to manage all of one’s ephemeral hosts.
There are many options on how to handle such an implementation, but I’ve found most to be a painful experience. There are technologies ranging from wholistic $20-per-server venders to trying to hack together an authority with `openssl` and handling the networking gymnastics by hand. Frankly, most security budgets would laugh at the former, and as for the latter... don’t get me started.
Only upon learning about Smallstep in a former life, I found that using Zero Trust principles in system design became an absolute breeze, and suddenly, I fell in love with the `step` toolchain and how it made my life easy. The DevSecOps forefathers before me instructed that I look past “Zero Trust.” They claimed it was too hard for too little return - that I’d be better off looking past such fads. To be honest, I agreed then but later came to find that Zero Trust was the piece of the puzzle I was missing and that the `step` toolchain was the wrench that my tool belt had needed all along. If only I knew then that with the right tool, Zero Trust could easily be the solution to a lot of my headaches, I’d probably not have started seeing gray hairs in my early twenties.
Using Certificate Manager alongside some of Smallstep’s open source projects, it suddenly becomes simple to automate certificate issuance into a Kubernetes deployment. All you need is a little bit of YAML and a working cluster to start issuing TLS certificates for your micro-services and stop bad actors right their tracks. Simple and straightforward tooling can make the difference between an exposed micro-service and one that is simply secure-by-design.
In the Smallstep Certificate Manager Kubernetes TLS docs, I’ve provided technical instructions on how to automate certificate issuance for Kubernetes ingress controllers. Here's a video you can follow along with to get started quickly with Zero Trust for your Kubernetes Ingress Controllers.