PKS and Security 

When it comes to Security, VMware PKS has several levels and considerations. We can leverage the Microsegmentation of Microservices all the way to scanning an image in Harbor, and permit or deny a developer from downloading or pushing a particular image. 

Let’s take a look at the different levels that PKS Security is working to help provision a trusted environment. 

When we think about security, we like to take the layered approach, and in PKS, what we see is 4 major building blocks – the infrastructure, the platform LCM, the container management, and the applications. With those building blocks in mind, we also need to consider identity and access management, as well as monitoring. 

So let’s take a look in the infrastructure block first. If you think infrastructure, what are the major challenges that we see? Any intrusion can spread quickly and laterally.  How do we solve this challenge with VMware PKS? We leverage network segmentation and Microsegmentation with NSX-T and isolation of the compute environment.   We manage to accomplish that by separating logical network per cluster and Namespace automated via NSX-T, with the default design to place cluster networks behind secure routers ( T0/T1 routers) and by distributing the K8s cluster on multiple vSphere clusters via availability zones (AZ’s). 

The picture below illustrates some of the segmentation we mentioned. 

 

 

Also on this blog, we would like to point out and cover the main security layers. We do have two other blogs that get very specific on the architecture of Microsegmentation with microservices. You can refer to those blogs to get more into the weeds of NSX-T and Security policies. Here are the links for your reference:  

Link 1:  https://www.hydra1303.com/underthehood/microservices-security-with-pks-and-nsx-t/ 

Link 2: https://www.hydra1303.com/underthehood/security-policies-with-kubernetes-pks-and-nsx-t/ 

Another really cool feature that is worth mentioning from NSX-T is Traceflowwhich will allow you to trace packets from containers to physical networks. 

So let’s move to the next building block of security with VMware PKS, and that is the platform LCM.  With what we call the 3 R’s, we can repair, repave and rotate, increasing the level of security and maximizing the resistance to persistent threats, and reduce the threat of licked credentials.  

Repair- repairs vulnerable software as soon as updates are available. 

Repave– repaves servers and applications from a known good state. 

Rotate– rotates user credentials frequently, so they are only useful for short periods of time. 

Also a consideration with repair, we have repair with BOSH plus Concourse, in which the advantage is no downtime when you upgrade the Platform and embedded components (OS, K8s). Leveraging Concourse delivers constant platform upgrades using CI/CD pipelines. 

 

 

 

The next building block is the Container Management. With that in mind, what we can offer with VMware PKS is flexible multi-tenancy. We can have a cluster as a unity of tenancy and namespace as a unity of tenancy. We can use RBAC for clusters and namespaces. 

 

 

We can also think about container image scanning. Container images can be easily built by layering vulnerable images. Vulnerabilities can flow with the image onto production environments. So having the ability to scan images against multiple CVE’s and utilize a policy based container image is a great advantage of VMware PKS. 

Container Images can be pulled from remote repositories, and images can be easily spoofed. Digital signature on images and content trust is what Harbor can provide with notary, where keys are verified and digest is created. 

 

 

 

And we also need to consider the Applications and how to monitor them.  With VMware PKS, we can leverage some really neat monitoring tools like Wavefront and vROPS. 

There is a lot in Security and many levels of security with VMware PKS, and to summarize the big picture, this is what the layout looks like.