Secure Kubernetes application access via identity-aware access proxy with Pomerium and Traefik.
Traefik + Pomerium to Secure Access to Kubernetes Applications
Identity-Aware Proxy (IAP) is a secure method to provide access to internal applications without the use of VPNs. This zero-trust security model builds on Google’s BeyondCorp implementation of shifting security from network perimeters to individual users, determining access from the user’s context.
Image Credit: Google Security Blog
On Google Cloud, this can easily be achieved with Cloud IAP (see an example deployment for securing Grafana on GKE). Outside of GCP, there are two great open-source solutions:
A common use case for using an IAP like Pomerium is securing access to internal applications/tools (e.g. Kubernetes dashboard, ArgoCD, Kibana). Kubernetes dashboard, in particular, is a great candidate for Pomerium given how no Kubernetes services provide a managed dashboard aside from GKE. Unsecured Kubernetes dashboards made the headlines in 2018 when hackers installed crypto-mining malware on Tesla’s cloud instances, gaining access via the dashboard. The default installation now limits access significantly but having users enter in tokens after usingkubectl proxy
remains a cumbersome process.
Image Credit: Wired
This post will walk through an example setup of Pomerium in conjunction with Traefik to add authentication and authorization to the Kubernetes dashboard. Instead of issuingkubectl proxy
, users can authenticate via an identity provider (e.g. Google, Github, Okta) to access the dashboards easily.
NOTE: You can replace Traefik with an ingress controller of your choice (e.g. nginx, envoy, ambassador). Deploy the ingress controller as needed and replace the ingress annotations. All of the code is also hosted on Github:
Pomerium consists of four logical components:
Image Credit: Pomerium Docs
While Pomerium can also act as a forward-auth provider (delegate authentication and authorization to Pomerium for each request), we will focus on using Pomerium as a standalone identity-aware proxy since our goal is to make access to the Kubernetes dashboard easy and secure.
Assuming a barebones EKS installation, let’s start by deploying metrics-server
and kubernetes-dashboard
.
Installing metrics-server
:
$ kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.7/components.yaml
Installing kubernetes-dashboard
:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
While those components are being deployed, create an eks-admin
service account and cluster role binding to connect to the dashboard with a token:
apiVersion: v1
kind: ServiceAccount
metadata:
name: eks-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: eks-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: eks-admin
namespace: kube-system
#kubernetes #security #identity-aware-proxy #software-development #programming