Is authentication required on RESTful services interacting with each other on Kubernetes cluster?

8/19/2018

We have a microservice architecture and there are REST services interacting with each other through HTTP. All of these services are hosted on a Kubernetes cluster. Do we need to have explicit authentication for such service interaction or does Kubernetes provide enough security for it?

-- user1874915
kubernetes
kubernetes-security

2 Answers

8/20/2018

Kubernetes provides only orchestration for your conteinerized applications. It helps you to run, update, scale your services and provides a way of delivering traffic to them inside the cluster. Most of the Kubernetes security relates to traffic management and role based administration of the cluster.

Some additional tools like Istio can provide you secure communication between pods and some other traffic management capabilities.

Applications in pods should have their own capabilities of providing Authentication and Authorization based on local files/databases or network services like LDAP or OpenID etc.

-- VAS
Source: StackOverflow

8/19/2018

It's purely based on how you design, architect, how you create a SDD for your system. While designing one, security hardening must be considered and give priority. The software and tools bring their features but, how you adopt is important. Kubernetes is no exception.

You are running your micro-services using HTTP and in production system, you can not believe that your system is secure even if it's running in Kubernetes cluster. Kubernetes brings cool features from security perspective as RBAC, CRD, etc. as you can find in here, Kubernetes 1.8 Security, Workloads and Feature Depth. But, still leveraging only these feature is not sufficient. The internal services should be as secure as external once. Following are few things you should take care once you are running your workload into kubernetes cluster,

  1. Scan all your docker images for vulnerability testing.
  2. Use RBAC over ABAC and assign optimum privileges to respective teams.
  3. Configure a security context for a pod running your service.
  4. Avoid unauthorized internal access to service data and protect all micro-services end-points.
  5. Encryption keys should be rotated over a certain period of time.
  6. The datastore like etcd for your kubernetes cluster must be secured.
  7. Only admin should have access to kubectl.
  8. Use token based validation and enable authentication on all REST api calls.
  9. Continuous Monitoring all the services, logs for analysis, health-check, all the processes running inside containers.

Hope this helps.

-- mohan08p
Source: StackOverflow