Securing AWS EKS with Calico and Kube2iam

August 13 2018

As containerized orchestration management solutions have matured due to the needs of businesses deploying their solutions to Cloud platforms, feature-rich Kubernetes has stood out against the competition due to its ability to manage complex deployments without much overhead and has became de-facto industry standard.  Until recently, many companies vying to get Kubernetes deployed in their AWS solutions have sometimes experienced challenges in the deployment and maintenance of the Kubernetes clusters. In June, 2018, AWS introduced a Kubernetes-specific service called AWS EKS (Amazon Elastic Container Service for Kubernetes), the first AWS managed Kubernetes solution under the AWS umbrella.

Although this initial implementation has proven quite successful and was lauded by developers who rely on AWS for their operations, it still does not allow for an easy integration or management by AWS security management toolsets.  Because of this challenge, ClearScale, an AWS Premier Consulting Partner, recently worked with a security-conscious client to overcome this issue by leveraging multiple third-party solutions that would allow for a robust security policy management implementation.

The Challenge

The client was very aware of how potential security breaches could expose their customer information which, as many high-profile instances in the news have shown over the last few years, can be damaging for their core business.

With a very large customer base, the need to migrate to the Cloud was overshadowed by the fact that the client absolutely required the security of customer data to be better than what they had previously.

For both the client and ClearScale, implementing their overall solution using the newly launched AWS EKS service was the ideal approach.  However, there still existed a gap in how security of the Kubernetes containers was lacking compared to other AWS services. The traditional tools readily available in AWS for developers to use and enact security protocols did not extend to AWS EKS; although it is likely this deficiency will be remediated by AWS at some point in the future, the client could not wait for that to be introduced.

The Solution

After extensive research, ClearScale has determined that the best approach to filling this gap was to rely on third party and open-source software solutions. The list was narrowed down to four key solutions which, when combined together, offered the robust security the client mandated.

Heptio – With close integration with Kubernetes, Heptio was chosen so that it would handle the AWS Identity Access Management (IAM) authorized users and assign them role-based access controls inside of the AWS EKS clusters.

Heptio Diagram alt

Diagram Source: Amazon Blog, Deplying Heptio

Calico – Project Calico aims to provide robust security solutions for modern containerized implementations.  As such, ClearScale chose to leverage the Network Policy Engine feature because it allowed network isolation and segmentation inside of the Kubernetes clusters and similar to what AWS Security Groups accomplishes.

Kube2IAM – Because of how AWS EKS manages the individual Kubernetes Pods, they initially all receive the same permission set assigned by the IAM role associated to the EC2 instance it runs on.  Since our client required a more granular permission set for each Kubernetes Pod, Kube2IAM was implemented to allow each Pod access through individually assigned IAM roles.

CNI Plugin – The open-sourced project Amazon Virtual Private Cloud (VPC) Container Networking Interface (CNI) plugin for Kubernetes allowed ClearScale to assign the “real” IP Address to the Kubernetes Pods from the VPC network.

CNI Plugin Diagram alt

Diagram Source: Amazon Blog, Networking Foundation for EKS

The Benefits

Using these four third-party solutions allowed ClearScale to deliver a robust, tightly-controlled security environment across both AWS and the Kubernetes pods.  Because the Kubernetes Pods are now isolated from one another inside of the EC2 instance, even if one of the Pods were attacked or compromised, the remaining Pods would remain safe because of the security isolation due to each Pod having its own set of permissions.  The CNI Plugin provided Kubernetes Pods with optimal performance similar to that of EC2 ENIs (Elastic Network Interfaces). Finally, thanks to Heptio, the AWS EKS deployment was tightly integrated with AWS IAM roles and users providing a full end-to-end security solution for the client.

ClearScale’s process of understanding and documenting customer requirements and breaking down the most complex challenges and needs into substantive, actionable areas of focus has allowed us to consistently be recognized by AWS as being a knowledgeable and trusted partner. ClearScale’s solutions are designed to address clients’ immediate operational concerns, but with an eye towards future growth and needs so that the client will be set up for success for the long-term.

Get in touch today to speak with a Cloud expert and discuss how we can help:

Call us at 1-800-591-0442
Send us an email: sales@clearscale.net
Fill out a Contact Form
Read our Customer Case Studies

San Francisco

Headquarters

71 Stevenson St.

Suite 400

San Francisco, CA 94105

O: 1-800-591-0442

F: 1-415-655-6601

San Jose

5450 Thornwood Dr

Suite #L

San Jose, CA 95123

Denver

1400 16th Street,

Suite 400

Denver, CO 80202

O: 1-720-932-8028

Phoenix

2942 N 24th Street,

Suite 114

Phoenix, AZ 85016

O: 1-602-560-1198

New York

165 Broadway, 23rd Floor

New York City, NY 10006

O: 1-646-759-3656

Houston

11757 Katy Freeway

Suite 1300

Houston, Texas 77079

O: 1-281-854-2088

Toronto

100 King Street West

Suite 5600

Toronto, Ontario, M5X 1C9

O: 1-416-479-5447

About Us  |  Careers  |  Privacy Policy
@ Subscribe
Share