CNCF Advances Kubernetes Security
The Cloud Native Computing Foundation (CNCF) this week formally added via of 1.12 release of Kubernetes support for an application programming interface (API) for requesting certificates from a cluster-level Certificate Authority (CA). This API enables provisioning of TLS client certificates in a way that allows a kubelet to bootstrap itself into a TLS-secured cluster and automates the provisioning and distribution of signed certificates.
The goal is to make the certificate management process for Kubernetes clusters less challenging. Because of the current complexity, many IT organizations deploy clusters with a single credential and single identity for all kubelets. In addition to creating a potential security and compliance issue, that approach prevents deployment of node lockdown features including the Node authorizer and the NodeRestriction admission controller.
At the same time, the CNCF has added beta support for a kubelet server certificate bootstrap and rotation capability. When a kubelet is launched it generates a self-signed certificate/key pair that is used for accepting incoming TLS connections. That certificate and bootstrap capability provide a mechanism for generating a key locally and then issuing a Certificate Signing Request to the cluster API server to get an associated certificate signed by the cluster’s root certificate authority. As certificates approach expiration, the same mechanism will be used to request an updated certificate.
In effect, CNCF is moving to programmatically automate a process that otherwise would lead to many Kubernetes clusters running afoul of compliance mandates set by cybersecurity teams that are not always as invested in deploying new platforms as DevOps teams.
Other notable new capabilities include support for Azure virtual machine scale sets (VMSS), which makes it easier to load balance virtual machines in the Azure cloud. Microsoft earlier this week made it clear that Kubernetes is now driving much of its hybrid cloud computing strategy.
New capabilities available in beta include topology-aware dynamic provisioning, configurable pod process namespace sharing, taint node by condition, arbitrary/custom metrics in the Horizontal Pod Autoscaler (which has been rewritten), support for vertical scaling of pods, and data encryption at rest using Google KMS as an encryption provider.
New capabilities available in alpha include RuntimeClass, a resource that surfaces container runtime properties to the control plane, and snapshot/restore functionality for Kubernetes and the container storage interface (CSI).
Tim Pepper, a senior staff engineer at VMware who contributes to Kubernetes, says advances in the ability to deploy stateful applications on Kubernetes using persistent storage have been rapid. While not every stateful application might optimally run on Kubernetes just yet, it’s clear a much broader spectrum of these applications now can be deployed on Kubernetes.
But, in general, Pepper says Kubernetes 1.12 represents a normal turn of the quarterly crank in an ongoing open source project that is ready for widespread use in enterprise IT settings.
In fact, the biggest issue many organizations might soon face is Kubernetes cluster sprawl. As IT organizations spin up Kubernetes on virtual and physical machines running on-premises and in the cloud, they may soon have more clusters running than they can handle.
