Kubernetes Authentication, Authorization, and Automation

Kubernetes Authentication

Kubernetes authentication is an important first step after deploying your cluster.  When designing your authentication strategy, take into account:

  • Authentication Method – LDAP or Active Directory / SAML2 / OpenID Connect / GitHub
  • Minimize Additional Infrastructure – The more you deploy, the more that needs to be secured and managed
  • Security – Use short lived tokens, integrate groups for RBAC and support session revocation
  • Configuration Integration – Use generic upstream kubectl, the fewer components deployed the less that needs to be maintained and secured

The Orchestra Login Portal, built on OpenUnison supports all of these goals.  Orchestra usually deploys within minutes.  There’s no third party database needed.  Orchestra uses Kubernetes Custom Resources to store all session and user data.  Individual sessions are easily revoked by deleting objects via kubectl.  Finally, Orchestra provides easy integration with both kubectl and the dashboard by creating a single entry point for both.

Compare Kubernetes Authentication Solutions

FeatureOrchestra Login PortalDexKeycloak
Dashboard IntegrationBuilt-InRequires Additional Reverse Proxy (ie OAuth2 Proxy)Requires Additional Reverse Proxy (ie OAuth2 Proxy)
.kube/config GenerationOne-click setupNo, requires separate applicationNo, requires separate application
Integrate short lived tokens to dashboard and kubectlDashboard integration automatically refreshes tokensDependent on Reverse ProxyDependent on Reverse Proxy
Relational Database RequiredNo, all objects stored as Custom ResourcesNo, all objects stored in API ServerYes (comes with H2)
Revoke Single User's SessionYesNo, must revoke all sessions at onceYes
Trusting client certificatesYes, when generating .kube/configNo, requires separate applicationNo, requires separate application
Supports "Logout"Yes, ends access to Kubernetes both via the kubectl and the DashboardNo, can not end a session earlyYes for kubectl, depends on dashboard reverse proxy implementation
CustomizationsXML + JavaYAML + GoGUI + Java
Automated OperatorYes - Automate certificate management and rolloverYesAlpha
Supported Authentication EndpointsLDAP/Active Directory,OpenID Connect, SAML2, GitHub,customLDAP/Active Directory,OpenID Connect, SAML2, GitHubLDAP/Active Directory,OpenID Connect, SAML2
Multi-Factor Authentication SupportTOTP (Google Authenticator), FIDO U2F, Symantec VIP, DUO, One-Time-Passworod, Certificate/X509/Smart CardNoneTOTP

How Do You Want To Authenticate to Kubernetes?

Beyond Authentication – Authorization and Automation

After authenticating users, the next step is authorizing access to clusters and automating the onboarding of users and namespaces. At KubeCon NA 2017 our CTO discussed how authorization and compliance work in Kubernetes.

Tremolo Security’s Orchestra Portal builds on the login portal and adds

  • Self service creation of new namespaces
  • Self service access requests for namespace roles
  • Usage and compliance reports
  • Workflows that can implement privileged access and zero trust privileges

With Kubernetes you have automated your application lifecycle, why manually add users to role bindings? Just as with the login portal, Orchestra’s automation portal comes in three flavors, depending on how you want to authenticate to your cluster:

Learn More About Tremolo Security and Kubernetes

You’ve seen how Tremolo Security can add enterprise authentication and user management to your Kubernetes cluster, so what’s next?  The links below will take you to the Github project for our Kubernetes Identity Manager, videos and exmple guides to get you started.  Feel free to open issues on Github or reach out on twitter to learn more about how Tremolo Security can help you secure your Kubernetes cluster.