Securing a Cluster - Kubernetes Meetup by Grape Up
- Making AWS Kubernetes workloads more secure than ever. - Michał Kisielewski
- How to authenticate your users in Kubernetes API? - Michał Różycki
K8s is getting hot these days! If you're into containers, clusters, and containerization, you can't miss our upcoming meetup. Our experts, working with the platform on a daily basis, will guide you through the most important aspects of security while using Kubernetes!
Making AWS Kubernetes workloads more secure than ever. - Michał Kisielewski
In AWS, authorization between services is based on IAM roles. Roles can be attached to accounts, resources or services and assumed using either access key and secret or automatically via Metadata server.
The problem with this architecture on EKS is that the smallest entity which can assume role is always the smallest entity visible from AWS perspective - so, in this case, an EC2.
This creates a security issue because this way all containers running on the worker node would have access to each other's policies. Kube2iam solves that issue, so you can continue to use fine-grained access control to AWS resources.
In this presentation, Michal will walk through the process of enabling kube2iam in the EKS cluster. Additionally, Michal will compare kube2iam to kiam.
How to authenticate your users in Kubernetes API? - Michał Różycki
Kubernetes is fast and furious when it comes to deploying your containers. Just run few kubectl commands and your fully working application is there. Sounds pretty easy, but let's say you want to give access to your cluster to other team members. Would you share the same admin token or certificate? It does not sound like a secure solution. Would you create a separate certificate for each team member? It does not seem to be a quick fix. But you want to work fast yet secure at the same time. Fortunately, Kubernetes has few more different options on how you can authenticate your users.
In this presentation, Michal will show different authentication methods in Kubernetes API. Including the case - how to integrate it with ActiveDirectory or some OpenID provider.