What You Define is What You Deploy

Trusting Kubernetes Cluster in the Cloud

Cowritten by Harshal

  1. Provider Managed — Kubernetes control plane is owned by provider and nodes are owned by the customer
  1. No un-authorised modification to the application specification (Pod or Deployment YAML).
  2. Kubernetes secrets are not read by un-authorised entities in case of provider managed deployment.
  3. Mitigate security issues resulting from a compromised control plane — like inadvertent access to secrets, modification/mutation of application specification.
  4. Protect data-in-use in a compromised node.
  1. Increased isolation
  2. No change in application code, unlike process based TEE
  1. Securing application specification and preventing un-authorised modification.
  2. Securing application secrets from the control plane
  3. No change in application deployment workflow
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx
namespace: default
name: nginx
spec:
containers:
- image: nginx:latest
imagePullPolicy: IfNotPresent
name: nginx
ports:
- containerPort: 80
protocol: TCP
apiVersion: v1
data:
nginx: |
spec:
containers:
- image: nginx:latest
imagePullPolicy: IfNotPresent
name: nginx
ports:
- containerPort: 80
protocol: TCP
kind: ConfigMap
metadata:
name: configmap-nginx
apiVersion: v1
data:
nginx: 6qvygg8md7bXfyX3Y9cpZxUp4eZA0kKmWBirrpJv/WEGkrdLYrdtqxdqm4cGLG4++06d2iGTaB+5SDjjDwf05T+9a2iUAdHmRngHcQNAzkKK2RCnR4Zkt0cXDaEP+w5mbugH0xdqGm8SoX4IgvWGi2toq1CUcc8OmgTX42g0NruTZbrNv5NccyS7+kR7Iib6vaMI24E=
kind: ConfigMap
metadata:
name: secure-configmap-nginx
apiVersion: securecontainers.k8s.io/v1alpha1
kind: SecureContainer
metadata:
name: secure-nginx
object:
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx
name: nginx
spec:
containers:
- image: sc-scratch:latest
imagePullPolicy: IfNotPresent
name: nginx
ports:
- containerPort: 80
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /etc/raksh
name: secure-volume-nginx
readOnly: true
volumes:
- configMap:
items:
- key: nginx
path: raksh.properties
name: secure-configmap-nginx
name: secure-volume-nginx
spec:
SecureContainerImageRef:
name: nginx-securecontainerimage
  1. Inside the Kata VM, the Kata agent decrypts the ConfigMap (mounted as a volume in /etc/raksh)
  2. The Kata agent provisions the container as per the decrypted ConfigMap