Identity Management

Simplify Kubernetes Security with Orchestra

March 24, 2019

by

Marc Boorshtein

Kubernetes Authentication

Tremolo Security today released Orchestra, an open source portal for Kubernetes authentication and automation. Authentication and access management are two of the hardest to manage components of Kubernetes.  The Orchestra portal simplifies both these components with a simple to deploy solution that integrates both command line and dashboard access to your cluster.

Orchestra’s deployment has no relational database to manage and no user interface to lockdown so  it’s deployed quickly.  It’s simplicity eases integration with your organization’s Active Directory, SAML2 implementation, or OpenID Connect provider.

The Orchestra login portal uniquely combines authentication to the Kubernetes API server and the dashboard with a single session.  Individual user sessions can be terminated quickly by a Kubernetes administrator. The short lived tokens used by Orchestra cut down the risk a token will be captured and abused so your clusters are more secure.  Our Kubernetes Solutions page breaks down the differences between Orchestra and other open source login solutions for Kubernetes.

Tremolo Security scans our published containers with Anchore’s Engine so we can detect when a known CVE has been patched, rebuilding and publishing our containers.  We commit to patching our containers when CVEs are patched to help you keep your environment protected.

Orchestra is a cloud native application so you will use the same tools to manage Orchestra that you would your Kubernetes cluster.  This simplifies your operations and leverages your DevOps processes and tools.  Deployment requires building a properties file and retrieving any certificates or SAML2 metadata needed and Tremolo Security’s artifact deployer does the rest. It creates the objects and certificates needed to secure login to your Kubernetes cluster.

Get started with simplifying access to your cluster by choosing the authentication method that you prefer (links go to github.com):

ACTIVE DIRECTORY / LDAP

Orchestra Login Portal with SAML2

SAML2

Orchestra Login using OpenID Connect

OPENID CONNECT

Automate Access

The Orchestra Automation portal adds authorization and automation to the login portal.  It adds a self service portal for requesting access to namespaces, creating namespaces and reporting.  The portal includes valuable reports such as:

  • Who approved namespace access and creation
  • Orphaned accounts
  • What Kubernetes objects were changed and why

Finally, the automation portal provides a user interface for your cluster that helps users identify what they do and don’t have access to cutting down on support calls.

The automation portal requires a MySQL or MariaDB database.  Choose how you want to authenticate to Kubernetes to start automating your cluster (links go to github.com):

ACTIVE DIRECTORY / LDAP

SAML2

OPENID CONNECT

Stay tuned to our blog and on twitter at @tremolosecurity for updates!