Securing Kubernetes Can Be Difficult, Especially Managing Access to Your Cluster.
Tremolo Security wants to make it easier to secure your Kubernetes clusters. Tremolo Security announced the release of Orchestra, a collection of projects designed to make integrating identity into your cluster as simple as possible. Orchestra is built on Tremolo Security’s open source identity management platform, OpenUnison.
In the blog post Tremolo Security’s CTO, Marc Boorshtein, explains that authentication and access management are two of the hardest components of Kubernetes security. Kubernetes is a unique system for most enterprises because it is both a collection of APIs and a set of tools and applications that developers and administrators interact with. These interactions all need to be secured. In addition to validating who is using your Kubernetes clusters, administrators need to be able to limit access to clusters even if they’re enterprise doesn’t have a mechanism to do so.
Orchestra brings identity and cloud native together. Marc explains, “Your security solutions for Kubernetes need to be as dynamic as your infrastructure. A legacy identity platform will slow you down and negate many of the benefits of cloud native.” As an example, Marc points out that customizations to Orchestra are done through code, “When you make an update to Orchestra you’re pushing a commit to a git repository which in turn triggers a pipeline to build Orchestra with the latest OpenUnison libraries finally pushing a new container into your registry.” Enabling identity in a cloud native way makes it easier for enterprises to secure their clusters.
Another aspect of Kubernetes security that Marc points out is that tokens are typically long lived, measured in hours. “Long lived tokens pose a risk to your cluster by providing a potential attacker multiple hours of access if a token is hijacked,” says Marc. Orchestra helps mediate this concern by using very short lived tokens that are only good for at most three minutes. This cuts down the risk of a hijacked token being abused since once an attacker hijacks a token and tries to use it its likely the token has expired and Kubernetes will reject it.
In addition to managing the security of tokens and providing cluster authentication, Orchestra can add an automation layer to Kubernetes access. “Once a cluster is deployed, it needs to be carved up to provide access to teams,” Marc says. Marc goes on to say, “You invested hours and dollars in automating your infrastructure, why would you want to manually manipulate RBAC rules?” Orchestra can provide a self service portal for automating access requests to Kubernetes and the creation of namespaces. This cuts down on manual work done by SREs and increases security by providing an authoritative source to audit a cluster against.
Many of the headline grabbing breaches in the news are a direct result of unpatched vulnerabilities. Marc explains how Tremolo Security helps keep your Orchestra deployment up to date, “We automate the testing of OpenUnison to make sure that updates in libraries don’t break existing functionality letting us update all of our dependencies on each release.” Tremolo Security extends this principle to its published containers by continuously scanning them. When Tremolo Security’s scans find an update to address a known CVE containers are automatically rebuilt to include those fixes. Users can use any system or service that watches when our containers are updated to trigger deployment pipelines of their own implementations.
Lastly, multi-factor authentication is becoming a larger priority for enterprises deploying Kubernetes. Orchestra provides options for FIDO Universal Second Factor (U2F), one time passwords and certificate authentication (also known as PIV and CAC in the US Federal Government). These options can easily be added by forking Orchestra and making a change to its built in configuration.