Announcing: Pomerium & FleetDM integration.
Register for the webinar here.
Pomerium logo
Log In Contact Sign Up
Mobile Menu
Products
Pomerium Zero Pomerium Enterprise
Mobile Menu
Use Cases
VPN Replacement Secure Remote Access Zero Trust Application Access Clientless Access Continuous Verification Context-Aware Access Secure Kubernetes
Pricing
Mobile Menu
Resources
Comparisons Integrations Blog eBooks Glossary
Mobile Menu
Docs
Get Started with Zero Quickstart Fundamentals Architecture Guides Discuss Forum GitHub

Kubernetes

Securing Kubernetes with Pomerium

Securing access to Kubernetes API and deployments

Kubernetes (often abbreviated as k8s) is an system for managing large numbers of containers in production. It was originally inspired by Google’s production environment and has been adopted into many companies as a useful way to manage and scale deployments.

While Kubernetes is excellent for deployments and comes with its own role-based access controls (RBAC), organizations often struggle with provisioning fine-grained access control to the API server. This matters because the Kubernetes API server functions as the central management entity and gateway for all components in a Kubernetes cluster. Not only does it process and handle requests (often through a kubectl ), it also maintains the desired state specified by users, making it a desirable target of access for hackers or malicious insiders.

Companies solve this with Pomerium to add zero trust fine-grained access control to clusters themselves.

Securing access to the Kubernetes Control plane

Currently, many organizations grant access to Kubernetes by having the user tunnel through the network perimeter to access a bastion host, then from there SSH port-forward to the API server (often through kubectl).

Users required to use third-party client for access
Learn More
Coarse-grained access controls applied here on session start
Learn More
Expanded data boundary with third party network
Learn More
The perimeter problem - once a user has access, they can realistically go anywhere.
Learn More
Reverse proxy for reachability, but no access controls
Learn More
Bastion host is unable to limit access to servers behind it. Users have access to both clusters.
Learn More
Reaching API server which controls the cluster
Learn More

The user access flow can be boiled down to this:

  1. The User logs in via the VPN client. This is where authentication and authorization is checked.

  2. The User now can reach the bastion host inside the VPC. The bastion host acts as a simple reverse proxy with access to the internal IP addresses of the Kubernetes API servers.

    • The bastion host itself has been configured with the necessary roles and permissions to access the Kubernetes API servers.

    • Firewall rules allow users to SSH access to the bastion host, and allow for the bastion host to communicate with the API servers.

The Users can now use SSH port-forwarding through the bastion host to access any reachable Kubernetes API servers

The Kubernetes Role Based Access Control (RBAC) is a key security control mechanism for the Kubernetes API server to provision least privilege access. However, this entire setup before reaching the kubectl — Steps 1 to 3, from the VPN client to the bastion host — exists because integrating with other systems is out of scope for the Kubernetes API server.

Why is the generic bastion host setup “wrong"?

This is a well-known system, but it has certain demerits:

  • Overprovisioned access may result in privilege abuse: Organizations often don’t want their users to be unproductive while waiting for access, they tend to shift towards giving more access than necessary. This happens even when the organization originally started off with least privilege access best practices; in the end, productivity has been prioritized and users or roles gain more access over time. Finally, granted permissions are often difficult to remove for various reasons.

  • Unfettered lateral movement: This architecture falls firmly into the Perimeter Problem: once a user has tunneled to reach the bastion host, they have unlimited access to any cluster reachable from the bastion host. In this above case, the user would have access to the control planes for both Clusters A and B.

  • Lacks continuous verification: User access is session-based, meaning there is little to no security measures in place once a user gains access. While it’s possible to inspect traffic, it is almost never done due to the increased lift and complications of inspecting this traffic. As a result, companies cannot prevent bad actions before they happen.

  • Lack of contextual awareness: The RBAC system is identity-aware but not context-aware. The modern threat landscape should assume compromised credentials and malicious insiders, meaning the context surrounding access requests should be considered. This includes details such as the time of day, geo-location, application state, devices, and more, which the built-in Kubernetes access controls do not consider.

This setup exists because the Kubernetes API server doesn’t integrate well with other systems for authenticating human access. We solve this by extending the server’s capabilities with a reverse proxy which can integrate with missing features.

The Pomerium Difference

We solve these problems by extending the server’s capabilities with a reverse proxy which can integrate with missing features. Pomerium acts as a reverse proxy for Kubernetes like any other upstream service to add zero trust access controls.

Clientless access for usability
Learn More
Direct connection for fastest latency, no going through a 3rd party.
Learn More
Fine-grained, zero trust access controls. Identity and context aware, with each request being continuously verified.
Learn More
Pomerium can limit which cluster's control plane is being accessed, drastically reducing lateral movement.
Learn More

This might look like the previous iteration with just one removed hop, but the connections and brokered access are quite different. Pomerium is a reverse proxy with Kubernetes-specific logic, making it an ideal solution for integrating the Kubernetes API server as an upstream service.

The improved setup allows the API server to benefit from the Pomerium difference.

Fine-grained access control

Pomerium improves upon Kubernetes’ native RBAC controls with more fine-grained access controls.

Instead, companies can set up groups with restricted permissions in Pomerium and assign users to these groups to achieve Privileged Access Management-style access controls for all users, not just super users.

Roles and permissions can be over-permissive and result in privilege abuse or escalation. OIDC providers may not provide group claims, requiring manual mappings to RBAC roles and permissions.

Continuous verification

Pomerium enforces authentication, authorization, and context-awareness on each individual request.

Tunneling solutions are limited to enforcing those same checks at the start of a session. Pomerium can deny or shut down the next incoming request if it doesn’t comply with the company’s security

Limits lateral movement

The Pomerium proxy knows which cluster a user should have access to. It does not grant access to any other clusters.

The bastion host only functions as a hub for facilitating access and does not do authorization checks on said access. As a result, users able to reach the bastion host have unlimited access to each cluster.

Monitoring

Pomerium provides comprehensive audit logs as a result of verifying each individual user action.

Some companies utilize session recording, which is inherently problematic to search through. Conversely, Pomerium’s logs are simple to search through and tagged for easy audits.

While Kubernetes supports native audit logging, it has practical challenges in certain cloud ecosystems where the tooling is limited. Additionally, cross-cluster and cross-service audit trails must be manually stitched together by practitioners.

Further integration with 3rd-party tools

Pomerium allows for easy integration with other tools such as identity providers, mobile device management, and more.

Offloading that burden to Pomerium enables teams to easily add critical integrations to their Kubernetes API without needing to conjure up complicated.

Kubernetes offers limited native support for third-party integrations, making it difficult for companies to achieve the correct level of access control they want.

Consolidate, simplify, and
modernize your access solution

Developers can add Pomerium's access control and deploy to production with full confidence that the company's security policies are being enforced. 

Try Pomerium Today

Company

About Privacy Policy Terms of Service

Quicklinks

Comparisons Integrations Customer Stories Resources Docs

Stay Connected

Stay up to date with Pomerium news and announcements.

Pomerium logo
© 2024 Pomerium. All rights reserved