PKS and Security

from the Hydra High Council Apr 23rd 2019

When it comes to Security,VMware PKS has several levels and considerations.We can leverage the Microsegmentation of Microservices all the way to scanning an image inHarbor,andpermit or deny a developer from downloadingor pushinga particular image.

Let's take a look at the different levels that PKSSecurity is working to help provision a trusted environment.

When we think about security,we like to take the layered approach,and in PKS,what we see is 4 major building blocks-the infrastructure, the platform LCM, the container management, and the applications. With those building blocks in mind,we also need to consider identity and access management, as well asmonitoring.

So let's take a look in the infrastructure block first. If you think infrastructure,whatarethe major challenges that we see?Any intrusion can spread quickly and laterally. How do we solve this challenge with VMware PKS? We leverage network segmentationand Microsegmentation with NSX-T and isolation of the compute environment.We manage to accomplish that by separating logical network per cluster and Namespace automated via NSX-T, with the default design toplace cluster networks behind secure routers( T0/T1 routers) and by distributing the K8s cluster on multiple vSphere clusters via availability zones (AZ's).

The picture below illustratessome of the segmentation we mentioned.

Alsoon this blog,we would like to point out and cover the main security layers.We do have two other blogs that get very specific on the architecture of Microsegmentation with microservices.You can referto those blogs to get more into the weeds of NSX-T and Security policies. Here are the links for your reference:

Link 1:https://www.hydra1303.com/underthehood/microservices-security-with-pks-and-nsx-t/

Link 2:https://www.hydra1303.com/underthehood/security-policies-with-kubernetes-pks-and-nsx-t/

Anotherreally coolfeature that is worth mentioningfrom NSX-T is Traceflow,whichwill allow you totrace packets from containers to physical networks.

So let's move to the next building block of security with VMware PKS, and that is the platform LCM. With what we call the 3 R's,we can repair, repave and rotate,increasing the level of security and maximizing the resistance to persistent threats, and reduce the threat of licked credentials.

Repair-repairsvulnerable software as soon as updates are available.

Repave- repavesservers and applications from a known good state.

Rotate- rotatesuser credentials frequently, so they are only useful for short periods of time.

Alsoa consideration with repair, we have repair with BOSH plus Concourse,in whichthe advantage isno downtime when you upgrade thePlatform and embedded components (OS, K8s).LeveragingConcourse delivers constant platform upgrades using CI/CD pipelines.

The next building block is the Container Management.With that in mind,what we can offer with VMware PKS is flexible multi-tenancy. We can have a cluster as a unity of tenancy and namespace as a unity of tenancy. We can use RBAC for clusters and namespaces.

We can also think about container image scanning.Container images can be easily built by layering vulnerable images.Vulnerabilities can flow with the image onto production environments. So having the ability to scan images against multiple CVE's and utilize a policy based container image is a great advantage of VMware PKS.

Container Images can bepulled from remote repositories,andimages can be easily spoofed.Digital signature on images and content trustis what Harbor can provide with notary, where keys areverifiedand digest is created.

And we also need to consider the Applications and how to monitor them.With VMware PKS,we can leverage somereally neatmonitoring tools like Wavefront and vROPS.

There is a lot in Security and many levels of security with VMware PKS, and to summarize the big picture,this is what the layout looks like.