May 19, 2020

Kubernetes RBAC explained

Introduction Whether it is from CI/CD or from the command-line, I often see the default kube-config with cluster-admin rights being used. This is like permanently working with root privileges and there certainly are more secure ways. In this post we will look into demystifying Kubernetes RBAC, and setting-up more suitable permissions for two use-cases: a CI/CD pipeline that needs full permissions on anything located in a given Namespace a reader who needs to access resources for troubleshooting purposes Concepts Roles and ClusterRoles define sets of permissions to objects at the namespace and cluster scope. Read more

May 18, 2020

Kubernetes policies with Gatekeeper

Introduction Gatekeeper is a validating webhook that enforces CRD-based policies executed by Open Policy Agent. In a previous post, we went into details about OPA: this post superseeds it. The differences between OPA and Gatekeeper are listed here. In this post we will explore Gatekeeper and start with implementing a policy to enforce a given label to be present at the namespace level. In future posts coming soon we will implement policies as described here: Read more

May 11, 2020

SSH login with yubikey using PIV

Introduction This article will take you through setting-up a yubikey to hold your SSH private key. It assumes that you have a PIV-enabled yubikey: PIV, or FIPS 201, is a US government standard. It enables RSA or ECC sign/encrypt operations using a private key stored on a smartcard (such as the YubiKey NEO), through common interfaces like PKCS#11. PIV is primarily used for non-web applications. It has built-in support under Windows, and can be used on OS X and Linux via the OpenSC project. Read more

April 13, 2020

Securing you kubernetes configuration. Not so simple!

Introduction There are lots of articles explaining what is important and what you should consider to securing your Kubernetes configurations, but I have not found that many guiding you through the steps of implementing these recommendations. And I am not talking about securing the code of the application (this is something that software engineers should be used to) or the containers (this is something for another time). These recommendations are in the realm of: Read more

May 16, 2019

Protect critical Kubernetes namespaces with Open Policy Agent

Introduction Update 2020-05-16: Gatekeeper superseeds OPA so there is a new post, that replaces this one Update 2019-09-08: after finding a critical bug causing my cluster to hang and becoming unusable after a restart I did some investigation and testing and have updated the project on Github. Open Policy Agent is an open-source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. OPA provides greater flexibility and expressiveness than hard-coded service logic or ad-hoc domain-specific languages and comes with powerful tooling to help anyone get started. Read more

Content licensed under CC BY 4.0