Secure Kubernetes application access via identity-aware access proxy with Pomerium and Traefik.

Image for post

Traefik + Pomerium to Secure Access to Kubernetes Applications

Identity-Aware Proxy (IAP) is a secure method to provide access to internal applications without the use of VPNs. This zero-trust security model builds on Google’s BeyondCorp implementation of shifting security from network perimeters to individual users, determining access from the user’s context.

Image for post

Image Credit: Google Security Blog

On Google Cloud, this can easily be achieved with Cloud IAP (see an example deployment for securing Grafana on GKE). Outside of GCP, there are two great open-source solutions:

A common use case for using an IAP like Pomerium is securing access to internal applications/tools (e.g. Kubernetes dashboard, ArgoCD, Kibana). Kubernetes dashboard, in particular, is a great candidate for Pomerium given how no Kubernetes services provide a managed dashboard aside from GKE. Unsecured Kubernetes dashboards made the headlines in 2018 when hackers installed crypto-mining malware on Tesla’s cloud instances, gaining access via the dashboard. The default installation now limits access significantly but having users enter in tokens after usingkubectl proxy remains a cumbersome process.

Image for post

Image Credit: Wired

This post will walk through an example setup of Pomerium in conjunction with Traefik to add authentication and authorization to the Kubernetes dashboard. Instead of issuingkubectl proxy , users can authenticate via an identity provider (e.g. Google, Github, Okta) to access the dashboards easily.

Prerequisites

  • Kubernetes Cluster (e.g. EKS, AKS)
  • Helm v3
  • DNS provider (e.g. Cloudflare)
  • Ingress controller (e.g. Traefik)
  • Certificate manager (e.g. cert-manager)

NOTE: You can replace Traefik with an ingress controller of your choice (e.g. nginx, envoy, ambassador). Deploy the ingress controller as needed and replace the ingress annotations. All of the code is also hosted on Github:

Yitaek/pomerium-iap-traefik

Identity-Aware Proxy (IAP) is a secure method to provide access to internal applications without the use of VPNs. The…

github.com

High-Level Architecture

Pomerium consists of four logical components:

  • Proxy Service: main proxy to direct users to establish identity
  • Authentication Service (AuthN): verifies identity via identity provider (IdP)
  • Authorization Service (AuthZ): determines permissions
  • Cache Service: stores and refreshes IdP access and tokens

Image for post

Image Credit: Pomerium Docs

While Pomerium can also act as a forward-auth provider (delegate authentication and authorization to Pomerium for each request), we will focus on using Pomerium as a standalone identity-aware proxy since our goal is to make access to the Kubernetes dashboard easy and secure.

Deployment Guide

Assuming a barebones EKS installation, let’s start by deploying metrics-server and kubernetes-dashboard.

Kubernetes Dashboard

Installing metrics-server:

$ kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.7/components.yaml

Installing kubernetes-dashboard:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml

While those components are being deployed, create an eks-admin service account and cluster role binding to connect to the dashboard with a token:

	apiVersion: v1
	kind: ServiceAccount
	metadata:
	  name: eks-admin
	  namespace: kube-system
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	  name: eks-admin
	roleRef:
	  apiGroup: rbac.authorization.k8s.io
	  kind: ClusterRole
	  name: cluster-admin
	subjects:
	- kind: ServiceAccount
	  name: eks-admin
	  namespace: kube-system

#kubernetes #security #identity-aware-proxy #software-development #programming

Securing Kubernetes Dashboard on EKS with Pomerium
8.15 GEEK