For organizations managing user access to numerous Kubernetes clusters at once, maintaining security while ensuring that users can access only the resources they need is a complex balancing act. Oftentimes, teams manage access to each cluster separately, sometimes using jump hosts or VPNs, and with makeshift tooling to audit the actions performed by each user. Unfortunately, this approach is error-prone, risky in terms of breaches, and becomes even harder to maintain as the number of clusters and people grows in the organization. That’s likely why 380,000 open k8s API Servers we found in a recent research study.
For teams operating on Kubernetes infrastructure, Zero-Trust principles promise a resolution for access security concerns: providing the ability to grant individuals access to necessary resources, while preventing them from exceeding the scope of their assigned permissions at an atomic- or transaction-level.
This, of course, begs the question: How can organizations apply Zero-Trust principles for securing and managing their Kubernetes environments, yet do it in a human-friendly way? Building on our commitment to the open source community and its drive for collaborative innovation, we can’t wait for you to try Paralus: the first ever open source Zero-Trust access service for Kubernetes!
What is Paralus?
Paralus is an open source access manager for Kubernetes clusters. It lets you create and manage access control policies for people, teams and services across multiple Kubernetes clusters without requiring any modifications to your firewall. You can also use Paralus to set up any SSO service using GitHub, Azure AD, Okta, etc. so that users can sign-in onto their clusters with the access rights they were given. It also records logs for audit and compliance, so you can see who and when did what on your K8s infrastructure. Paralus can be used with a web GUI, CLI, or API.
Problems Paralus Solves
Paralus solves a number of problems we see dev teams face:
- Centralized access: management to all users across multiple Kubernetes clusters is unified and centralized. Your users can be located anywhere, your clusters can be either hosted in the cloud or on-prem. With Paralus, you can handle access-management for all clusters through a single tool.
- Secured kubectl access: Paralus can be integrated with your existing enterprise RBAC policies and even with your SSO provider. This allows teams to leverage existing security policies and SSO procedures and guarantees that only authorized users can access your Kubernetes infrastructure.
- Immutable audit trails: Each and every kubectl command executed by users across your organization is recorded. All actions including creation of groups, users, projects and roles are also recorded. These audit trails are immutable and allow for confirmation of compliance with industry standards and policies.
- Support for OIDC: OpenID Connect is an open source authentication protocol built on top of OAuth2. This open source protocol provides support for authentication via multiple identity access providers. You can now leverage the power and flexibility of OIDC baked right into Paralus. Use it with GitHub, Google, Microsoft or Okta — it works with all leading Identity Access Providers (IdPs).
- Custom roles: Rafay’s original implementation of the Zero Trust access service had a selection of immutable predefined roles. With Paralus, we introduced finer control through the creation of custom roles with specific permissions — all compatible with an Identity Access provider.
- Dynamic permissions: Paralus allows you to dynamically revoke permissions, making it easier to govern access. You can create a role and add/remove policies and permissions to it without having to delete a role and recreate it.
- Multiple workflows: Depending on your preference, Paralus can be used in three different forms: a webapp GUI, a CLI tool called pctl, or as an API.
We’ve also open sourced our roadmap, so you can have a look at what else we’re planning for Paralus. Suggestions and improvements, in the form of GitHub Issues, are more than welcome.
Why Contribute Paralus to CNCF?
At Rafay, we believe that using open source comes with a responsibility to contribute, sustain, and improve the projects that make our ecosystem better. To support the next phase of community-driven innovation, enable net-new adoption patterns, and to further raise the bar in the container tool industry, we are excited to announce today that we have submitted Paralus as a sandbox project to the Cloud Native Computing Foundation (CNCF).
At Rafay we would love for Paralus to be a part of the CNCF landscape, as part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach. We hope we can get the community and other Open Source projects to collaborate with the ultimate goal of helping everyone secure the modern software technology stack and infrastructure.