Securing AKS applications

Building and deploying serverless applications has become a commodity in today’s cloud landscape. There are plenty of architectural patterns to choose from when designing software. When it comes to choosing a pattern that scales well, is portable between platforms, and is widely adopted, Kubernetes is a popular choice for orchestrating containerised applications. This will be at the core of my Academy Master’s Program (AMP) project.

Who am I?

My name is Silvan Zeller and I have been working at Omegapoint for almost five years now. After writing my master’s thesis here I completed the APP trainee program within information security and have worked on a variety of different projects since then. I have worked with privileged account management for different customers and then went over to assist in developing a serverless application for a customer in the fintech sector. As of now, I am a part of a team at Omegapoint responsible for developing a Kubernetes platform for a private cloud solution. With that said, I believe it might be time to delve deeper into the technical details.

About Kubernetes

Kubernetes is a framework originally developed at Google that manages services and workloads, from scheduling, scaling, networking, supervision, and administration. Organizations can choose to set up a self-hosted platform or run on a managed platform. Each of the established cloud service providers (Azure, AWS, Google Cloud, etc.) provide a Platform-as-a-Service (PaaS) offering for Kubernetes workloads. Maintaining such a platform requires substantial effort and according to the shared responsibility model, security concerns can be offloaded to the cloud service provider of choice by choosing a PaaS deployment model.

My Goals

In my AMP project I am attempting to shed light on the question, how does one go about securing applications that run on a managed Kubernetes platform? More specifically, I chose to investigate concrete measures to take on Microsoft’s Azure Kubernetes Platform (AKS). There are a lot of security and hardening guidelines available online, such as Azure’s security guidelines, tutorials on Kubernetes or the OWASP Kubernetes Top 10. However, these guidelines are sometimes a bit vague or only cover a specific security aspect. I believe that a compilation of concrete security measures would surely come in handy. In my work, I will provide practical and applicable security guidelines using a simple example application covering the following aspects:

• Securing cluster ingress to applications

• Securing egress from cluster to external services

• Access control to the Kubernetes cluster

• Container / pod security

• CI/CD pipeline security

• Logging and monitoring

My goal is to provide a blueprint for architects, security experts, and developers to use when designing and developing applications. So far, I have produced a tutorial on securing ingress to applications using Application Gateway and held a presentation on that topic during this year’s OPIgnite Peer-to-Peer conference, one of Omegapoint’s internal conference which is aimed att experts within Azure.

I am publishing all tutorials on Omegapoint’s private GitHub account which can be found in the secure-kubernetes-aks repository and will continue to hold workshops and presentations on competence days as well as our internal conferences. As the coverage increases, I will publish the lessons learned as a course on Omegapoint’s Learning Management System (LMS) with the hope of enabling a better security posture for Kubernetes applications running on AKS and further improving my knowledge within Kubernetes, AKS, and its security on the way.

Luckily, I am not on my own in this endeavor. My colleague Olle Mulmo is my mentor in this project and is helping me with all his experience within cloud and security.