Enterprise adoption of Kubernetes is widespread. But Kubernetes is complex, and many clusters are configured insecurely. An analysis conducted by Cyble found more than 900,000 Kubernetes clusters exposed over the Internet.
The importance of authentication and authorization configurations in K8s cannot be overstated. Luckily, Kubernetes supports a variety of authentication methods. Here are your top three options.
➡️ Authentication proxy
Here authentication is fully delegated to a proxy server through the Kubernetes API's authorization mode. By using this mode, the API receives requests from an intermediate proxy that handles authentication and sends HTTP headers with user details such as usernames and RBAC groups.
Since Kubernetes API server does not have a way to validate the content of headers, only ensuring their provenance can protect the platform from header spoofing attacks. So authenticating proxy certificates must be validated by the API server against a valid X.509 client certificate.
➡️ OpenID Connect
A problem with the local authentication of remote users was solved by adding support for this authentication method to Kubernetes. By presenting a valid and unexpired JWT token, the OIDC authentication layer can validate users without relying on third-party authentication providers.
You can access your Kubernetes cluster with your identity provider infrastructure by integrating an OIDC integration, but granting different levels of access to each cluster is quite complex. Once tokens are issued, they are valid until their expiration date. Another thing to remember is that tokens cannot be revoked.
➡️ Service Account Tokens
ServiceAccounts are used to control pod access to the Kubernetes API. You can attach RBAC (role-based access control) roles/permissions to the ServiceAccount that the pod is using, to increase the permissions the pod has.
Similarly to that, at Devolut we use a tool called Permission Manager, that lets us set up RBAC templates and create Kubernetes users (generated as ServiceAccounts in Kubernetes cluster). It has a clean and simple UI, which makes it easy to use, and generates Kubeconfig automatically for that user.
👋 Say hi at hello@devolut.io and you won't have to worry about unauthorized users entering your company's infrastructure again.