Tetrate Enlists USAF to Streamline Authentication in Kubernetes Environments Using Istio
Tetrate, today in collaboration with the United States Air Force (USAF) Platform One team, has launched AuthService, an open-source project that replaces the existing authorization service for the Istio service mesh with one that is simpler to deploy and manage.
Zach Butcher, principal engineer for Tetrate, said Authservice uses Istio mesh sidecars and Kubernetes secrets to enable IT teams to dynamically manage application authentication without having to write any additional code. Instead, IT teams will generally need to only add a label to an application to enable Authservice, he added.
Written in the Go programming language, Authservice supports Open ID Connect (OIDC) to enable IT teams to centrally manage authentication via the Istio service mesh running on a Kubernetes cluster. That approach also provides the added benefit of streamlining authentication audits, noted Butcher.
The Platform One engineering team that manages a cloud-based DevOps environment for the USAF is now using Authservice to provide single sign-on (SSO) capabilities to applications at the time they are deployed via a distribution of Istio curated by Tetrate. In addition, Authservice is being made available via a software factory that the Department of Defense (DoD) manages on behalf of other branches of the U.S. military.
As more organizations embrace zero-trust IT principles, more responsibility for security operations (SecOps) is being shifted toward IT operations teams. That’s critical because there are simply not enough cybersecurity professionals available to detect threats, define policies to thwart attacks and manage SecOps. Authservice makes it simpler for IT teams to centrally manage authentication at a time when more organizations are embracing platform engineering as a DevOps methodology for managing Kubernetes environments at scale, said Butcher.
It’s not clear at what pace the Technical Oversight Committee (TOC) that oversees the development of Kubernetes is addressing cybersecurity related updates to the core platform, but as more IT teams deploy Kubernetes clusters in production environments, the need to simplify authentication and other access control mechanisms is becoming more apparent. Istio, a service mesh being advanced under the auspices of the Cloud Native Computing Foundation (CNCF) alongside Kubernetes, provides an opportunity to manage authentication at a higher level of abstraction, noted Butcher.
Naturally, it remains to be seen whether the technical committee that oversees the development of Istio will embrace Authservice or to what degree other providers of distributions of Istio might support it. However, with the backing of the USAF and DoD, it’s probable Authservice will gain traction both among Federal agencies and enterprise IT organizations that build applications for those agencies.
In the meantime, IT teams should expect the volume of cyberattacks aimed at Kubernetes environments to steadily increase. As more Kubernetes clusters are deployed in production environments cybercriminals are becoming more aware of the rich portfolio of cloud-native applications being deployed on a new type of platform. In effect, they are stress testing Kubernetes clusters for weaknesses that inevitably will be discovered. The challenge now is determining how quickly the Kubernetes and Istio communities can respond to mitigate those threats as soon as they are disclosed.