The open-source platform Kubernetes is quite a buzz right now. In the course of time, Kubernetes has been adopted by almost all major vendors, such as VMware, Google, Amazon and Microsoft. That‘ s reason enough to take a closer look at it. But before I talk about Security in Azure Kubernetes Service (AKS), I would like to talk about the most important aspects of containerization and Kubernetes first. I hope this will give you a good overview.
What is a container?
Containers are isolated environments for running applications. In addition to the application code, they contain everything else that is necessary to run an application (e.g. dependencies, libraries, binary files and configuration files). However, unlike a virtual machine, a container does not contain an operating system. Instead, containers share the kernel of the underlying host operating system. The basis for this is provided by the technology namespaces. A container engine creates namespaces for the different aspects of a container, which serve as an isolation layer between the containers:
Today, applications are increasingly container-based because containerization offers many advantages over traditional virtualization:
- Containerized applications can be easily moved between different platforms and clouds („write once, run everywhere“)
- Containerization enables efficient use of compute resources. A host can run significantly more containers than virtual machines because they are very „lightweight“ since they do not have an operating system
- Containers are particularly fast due to their small size and can be started up in seconds
- Containerization allows complex applications to be built from a variety of microservices, making it easier for developers to improve applications quickly and continuously. Companies like Netflix can deliver new code to their production environment dozens of times a day without disrupting millions of users
- Different functions of the container-based application can be scaled quickly and independently of each other
The most popular containerization platform is the open-source platform „Docker“. Docker has become the de facto standard for containerized applications over the last years. With Docker, you can primarily create images from which containers can be created. In addition, containers running on the host system can be managed with Docker.
If Docker is installed on a large number of hosts and the number of containers increases, administration becomes much more difficult. In such a scenario, a container management solution can simplify and automate the deployment and management of application containers.
What is Kubernetes?
The best-known container management solution is called Kubernetes (often abbreviated as K8s) and is often used in combination with Docker. Kubernetes combines the physical and virtual machines running the containers into a cluster and efficiently automates the distribution and scheduling of containers across the cluster. The platform is very complex and consists of numerous components, e.g. clusters, nodes, pods, masters, services, deployments, etc. In this medium article, the most important components and terms of Kubernetes are explained very well and in simple words. I highly recommend that you read through this article to get a basic understanding of what is behind the Kubernetes vocabulary.
What is Azure Kubernetes Service (AKS)?
Azure Kubernetes Service (AKS) is the Microsoft managed Kubernetes implementation in Azure. In this implementation of Kubernetes, Microsoft manages the complete control plane of Kubernetes for you, so that you mainly take care of the nodes on which your application is running. The general layout of AKS is as follows:
Securing a Kubernetes Cluster in AKS
Ensuring security in a Kubernetes cluster is no trivial undertaking. Fortunately, when choosing to use AKS, you will have to worry much less about the right configurations in your cluster, as Microsoft takes care of a lot of things in the background. For your own configurations, I recommend that you follow the recommendations of the official Kubernetes documentation.
In the following I will discuss the security aspects of the central cluster components and network security when using AKS:
An important part of the master node is the API server, which acts as the central interface through which all components communicate. An authentication service must be used to protect against unauthorized access. Azure Active Directory can be integrated into AKS for user authentication. The role-based access control of Kubernetes (RBAC) can then be configured based on user identity or group membership in AAD. It should also ensure that API traffic is encrypted and therefore enable transport layer security. Similarly, access to the API server can be restricted to certain authorized IP address ranges.
Worker nodes are the virtual machines running your container-based application. AKS runs both Windows and Linux nodes with minimalized operating systems. Linux nodes are automatically provided with operating system security updates. However, in case a reboot is required, it is your responsibility to restart the machines. Windows nodes must be updated at regular intervals. In addition, you should use all common methods used to protect virtual machines, such as security policies, firewalls and anti-virus.
Pods and Containers
You should set resource limits for your pods to prevent compromised pods from accessing too many underlying worker node resources. The container images in your pods should only be from secure sources and scanned for vulnerabilities before running them in the cluster.
Besides the components, network security plays an important role in AKS. Microsoft has developed a best practices guide that covers the following points:
- Selection of a suitable network model
- Distributing the input data traffic
- Securing data traffic with a Web application firewall
- Control the flow of data traffic with network policies
- Establishing secure connections with cluster nodes
With the service Azure Kubernetes Services, Microsoft eases the way to your own Kubernetes environment and relieves you of some security responsibilities.
However, there is still a lot to be done to create and operate a truly secure Kubernetes environment. Because the platform is so complex and powerful, many companies find it difficult to implement important security measures, which also doesn’t remain hidden from cybercriminals.
Please contact us if you need support for your Azure Kubernetes Services project.