The Kubernetes Current Blog

Webinar Follow-Up: Secure your Kubernetes Infrastructure with Zero Trust Principles

During this webinar, Ashish Kar, VP of Product Management at Aarali Networks, and Naveen Chakrapani, Director of Product Management at Rafay Systems, covered securing K8s environments with Zero Trust principles.

You can access the recording of the webinar here.

A few key points presented include:

  • How Rafay’s Zero Trust Kubectl Access (ZTKA) and Paralus OSS integrates best practices across Secure Access, Kubernetes RBAC and SSO to enable a Zero Trust model for K8s infrastructure access
  • How Araali Networks implements a Zero Trust approach for runtime security by combining K8s context, workload identity and resource identity

We promised to follow up with additional details for questions that we didn’t have enough time to address live.

1. Is it possible to revoke kubeconfig to block kubectl access for a particular user?

There may be cases where a user no longer requires kubectl access or the kubeconfig file may have been compromised (e.g., lost/stolen laptop). It is straightforward from within Rafay’s platform to revoke a specific user’s kubeconfig immediately. Note that this can be done centrally across clusters i.e., it is not required to do this cluster by cluster.

More information available here.

Users are provided the means to revoke their kubeconfigs. This is for scenarios where they believe their kubeconfig file has been compromised (e.g., lost/stolen laptop).

2. Is it possible to selectively allow kubectl access for a user to a particular cluster i.e., implement break glass?

Yes. For scenarios where kubectl access for a user needs to be enabled temporarily (to debug an issue for instance), it is possible to implement a break glass process on a per cluster basis.

More information on providing temporary access with Rafay available here.

3. Does Rafay offer any capabilities that can help with disaster recovery?

Yes. Rafay offers a fully integrated and turnkey cluster backup and restore capability enabling customers to centrally configure, automate and operationalize disaster recovery (DR) and/or for cluster migration use cases. With this capability, administrators can configure backups for their clusters and workloads literally in a few minutes.

More information on backup and restore and operationalizing DR available here.

4. Does Rafay have any guidance for organizations that operate in highly regulated industries?

Rafay provides Standard Operating Model (SOM) templates which customers can leverage to operationalize environments in a consistent manner. The SOM templates enable capabilities that are critical for compliance such as Cluster Backup and restrictive OPA Gatekeeper policies by default.

More information on AWS EKS SOM here.
More information on Azure AKS SOM here.

Here are some additional resources I think you’ll find helpful:

Ready to find out why so many platform teams have partnered with Rafay to improve Kubernetes security and establish zero trust principles? Sign up for a free trial.

Have you heard about the access manager for Kubernetes Rafay open sourced, called Paralus? Give us a star on github.com/paralus/paralus and learn more at paralus.io.

Author

Trusted by leading companies