Kubernetes Security Authentication Moving Forward With SIG-Auth

At KubeCon + CloudNativeCon NA 2018, members of the Special Interest Group tasked with looking at authorization security issues outline what has been going on to help improve Kubernetes security.

Kubernetes SIG-AUTH

SEATTLE—The basic units of organization within the Kubernetes community are the Special Interest Groups that help define and implement new features and capabilities. For security, one of the primary SIGs within Kubernetes is SIG-Auth.

Kubernetes is a widely used container orchestration platform that is supported on all the major public cloud providers and is also deployed on-premises. In a session at the KubeCon + CloudNativeCon NA 2018 here, the leaders of SIG-Auth outlined how the group works and what the current and future priorities are for the Kubernetes project.

"SIG-Auth is responsible for designing and maintaining parts of Kubernetes, mostly inside the control plane, that have to deal with authorization and security policy," Google Software Engineer Mike Danese said during the session. 

Danese said that SIG-Auth has multiple subprojects that are all detailed in the group's GitHub repository. Those subprojects include audit, encryption at rest, authenticators, node identity/isolation, policy, certificates and service accounts.

SIG-Auth in 2018

Over the course of 2018, SIG-Auth has been active helping to get multiple security authorization features into Kubernetes. Among the features added are better node isolation and protection of specific labels and self-deletion.

"Nodes are a pretty big attack vector in a cluster, so being able to prevent nodes from changing what the taints and tolerations was important," said Jordan Liggitt, staff software engineer at Google.

Liggitt also said that better audit capabilities have been added to Kubernetes in the past year, including the addition of authorization and admission annotations to audit events, which landed in the Kubernetes 1.12 release. In the recent Kubernetes 1.13 release, which became generally available on Dec. 3, the etcd encryption feature became stable. Etcd is the core distributed key value store that enables Kubernetes.

"We worked really hard to get encryption finally stabilized; it's surprisingly difficult to get it right," Liggitt said.

Service account tokens also found their way into Kubernetes in 2018 with beta implementations.

"Service accounts are the greatest thing ever if you care about security," Liggitt said. "Generally speaking, the tokens for service accounts are stored in secrets, so if you can read a secret you can become a service account."

A secret in the Kubernetes context is any type of password, token or access authorization credential that is needed use a service. The service accounts also have Role Based Access Control (RBAC) attached to them to further validate accounts.

What's Coming

Among the improvements that are coming to Kubernetes in 2019 is a refined approach to policy.

"Policy is a vaguely defined thing, but usually when we're talking about policy we mean admission controllers and things that are enforced through admission," Google Software Engineer Tim Allclair said. "We tend to talk about authorization and RBAC separately."

Allclair said that in 2018, the concept of dynamic admission controllers was introduced into Kubernetes, and he expects that in 2019 an ecosystem of different admission controllers will emerge facilitating better policy and enforcement. For common use cases, he said organizations might not want to have to deal with writing detailed configuration. One of the use cases that SIG-Auth is working on is time-based scheduling policy for admission. Additionally, Allclair said there have been conversations in SIG-Auth about image policies. 

"So restricting kind of what repositories and what images you can use," he said.

Another big item on the SIG-Auth to-do list for 2019 is the stabilization of the Pod Security Policy feature. According to the Kubernetes project documentation, a Pod Security Policy is a cluster-level resource that controls security-sensitive aspects of the pod specification. As of the Kubernetes 1.13 release, Pod Security Policy is still labeled as a beta feature and is not yet considered to be stable or generally available.

"It's an important area and so we'll be thinking about what the path forward for that [Pod Security Policy] is," Allclair said.

Looking forward, Allclair would like to see more people getting involved in SIG-Auth, though he warned that the projects involved often have some very complex nuances. He added that new contributors can expect to get a little more resistance in the review process initially than perhaps other Kubernetes SIGs.

"We're dealing with security issues that have potentially very serious implications," Allclair said. 

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.