The CNCF 2023 Annual Survey highlighted that 84% of organizations are using or evaluating Kubernetes in their Production Software Pipelines (up from 81% in 2022). It is clear that Kubernetes has become the de-facto operating system for organizations to deploy their software applications into production.
With an ever increasing userbase means more company data being involved, and with the confidential nature of company data and communications, managing security for Kubernetes has become a major concern for organizations. With 67% of respondents of RedHat’s State of Kubernetes Report 2024 stating their Kubernetes deployments have been delayed for security reasons.
With the rise of Microservices’ architecture, Public Key Infrastructure (PKI) has come to play a critical role in ensuring secure communication through encryption, authentication and authorisation throughout the DevOps pipeline. Key vulnerabilities that need to be addressed in these security measures can include:
- Client certificates for the kubelet to authenticate to the API server;
- Kubelet server certificates for the API server to talk to the kubelets,
- Server certificate for the API server endpoint,
- Client certificates for administrators of the cluster to authenticate to the API server,
- Client certificates for the API server to talk to the kubelets,
- Client certificate for the API server to talk to etcd,
- Client certificate/kubeconfig for the controller manager to talk to the API server,
- Client certificate/kubeconfig for the scheduler to talk to the API server,
- Client and server certificates for the front-proxy
In this blog, we will explore the significance of securing pod-to-pod communications in Kubernetes environments, and how implementing TLS provides that extra layer of protection needed.
What is a Pod And Why Are They Used?
In containerized applications and orchestration platforms like Kubernetes, a ‘Pod’ represents a group of one or more containers that have a shared network or host, allowing them to communicate with one another. Containers operating in a pod work together to share resources and perform specific tasks.
Orchestration platforms like Kubernetes are crucial for pod management. Kubernetes allows developers to automate the deployment, scaling, and management of containerized applications, ensuring workflows continue to run efficiently.
How Pod-to-Pod Communication is Secured
Securing pod-to-pod communication with TLS and mTLS implements an encryption process using X.509 certificates. mTLS certificates implements a two-way authentication and encryption process for enhanced security. These certificates are stored as Kubernetes secrets which ensures sensitive information is securely managed within a cluster. mTLS security is essential to fortifying containerised environments and enhancing the security posture of microservices architecture.
Why Pods Need Securing
Securing pods and pod-to-pod communication within containerized environments is necessary for protecting sensitive applications and reducing the risk of malicious attacks or data breaches. Pod security protects enterprises and enables a variety of improvement and assurances in a workflow:
- Data Confidentiality – TLS certificates promote data integrity and prevent any unauthorised access through encryption. This secure communication is especially important for environments handling sensitive data, such as financial transactions or healthcare records.
- Isolation and Multi-Tenancy – When multiple pods are working in a shared environment and sharing the same cluster, it runs the risk of any compromised pod affecting another pod in the cluster. mTLS ensures the security of multi-tenant deployments.
- Authentication – Securing pods with TLS ensure pods only communicate with authorised entities, reducing the risk of malicious attacks resulting in unauthorised access.
- Enforcing Security Posture – Pod security is paramount to successful code development, and mTLS enables a security policy which sets baseline security requirements for all pods across a Kubernetes cluster.
- Compliance Requirements – Pod security ensures organisations meet compliance standards, preventing data breaches and outages in highly regulated industries.
- Improved Performance – In addition to the security benefits of a TLS, they can also offer performance enhancements including faster ‘handshake’ times, ideal for high traffic Kubernetes environments.
What is mTLS And Why is it Important?
mTLS, or Mutual Transport Security Layer, is an expansion of a standard TLS protocol that requires mutual authentication between a client and a server to establish a secure connection. This additional step enhances the security of the communication between these parties as it ensures that both the client and the server are who they claim to be.
mTLS enables the following:
- Data Encryption - especially in microservices architectures to secure service-to-service communications.
- Zero trust architecture - with every communication being authenticated.
- Application to various communication protocols – meaning it's not limited to web-based applications
Because of these features, mTLS is widely used to secure sensitive communications which are prevalent in cloud-native and microservices-based environments.
Securing Kubernetes Environments with GlobalSign’s Cert-manager Issuer
GlobalSign’s Cert-manager Issuer for Kubernetes enables developers to secure their Kubernetes environments using trusted TLS certificates. By leveraging cert-managers capabilities, GlobalSign’s Atlas Issuer streamlines the process of generating and deploying X.509 certificates for your security needs in Kubernetes, delivering trusted certificates quickly and easily as you request them.
