Gajus - Fotolia

Kubernetes 1.8 goes GA with RBAC, but security work remains

Production-ready role-based access control in Kubernetes is an important milestone for security-conscious IT shops, but other security features remain works in progress.

RBAC is now fit for production in Kubernetes 1.8, but enterprises continue to wait for other security tools to arrive.

Kubernetes 1.8, released in the last week of September as part of the container orchestration platform's regular quarterly release cycle, promotes role-based access control (RBAC) to generally available from its beta status in Kubernetes 1.7. This means the feature has passed stability tests, developers have removed deprecated features to clean up its code, and the community expects no more major changes to the Kubernetes RBAC API.

This is welcome news to IT pros that were eager to see Kubernetes security features mature after the 1.7 release.

Kairos AR Inc., a provider of human facial recognition and analytics for developers in Miami, just upgraded its container orchestration environment to Kubernetes 1.7 and the beta version of Kubernetes RBAC, and is implementing RBAC in its new cluster, said Cole Calistra, the firm's CTO. "That means we can control access using certificates instead of leaving the cluster open to anyone who has access to our VPN," he said.

Kubernetes RBAC also means the company's Jenkins server can access the Kubernetes API without the need to distribute API credentials to the entire Jenkins pod, Calistra said. Kairos' new cluster uses Kubernetes operations (kops) for cluster management and Helm for application deployment instead of HashiCorp Terraform and Red Hat Ansible, and these native Kubernetes tools will make it easier to upgrade to Kubernetes 1.8.

Role-based access control

Calistra would also like to see native Kubernetes Lightweight Directory Access Protocol support for user authentication. So far, Kubernetes developers at Apprenda have made a webhooks integration for LDAP, but it remains in the early stages of development, according to its GitHub page. Kubernetes documentation says that "normal users are to be managed by an outside, independent service."

Still, native Kubernetes features have begun to standardize and mature in other areas such as DNS, Calistra said, and he wants LDAP integration to become part of the platform too. The Kubernetes roadmap will expand other in-demand security features, such as the encryption of secrets at rest in etcd, which remains in alpha with Kubernetes 1.8. Kubernetes developers from Google, and Microsoft told SearchIToperations they expect Kubernetes 1.9 to offer integration with third-party key management systems.

Kubernetes RBAC may lead native feature expansion

There's not much debate anymore about whether Kubernetes has captured the lead in the container orchestration market. Instead, industry watchers wonder how far Kubernetes will go to expand its native features, and how that will affect other companies, particularly container security specialists.

It's clear Kubernetes is addressing mainstream IT beyond developers and technologists with these features.
Jay Lymananalyst, 451 Research

"For container security vendors, the question is how many are going to get involved with Kubernetes, and how many are going to be competing with Kubernetes?" said Jay Lyman, an analyst at 451 Research in New York. "It's clear Kubernetes is addressing mainstream IT beyond developers and technologists with these features."

Kubernetes developers have previously dismissed suggestions to expand the platform beyond container orchestration, such as with open source CI/CD that would compete with Netflix's Spinnaker. But new custom resource definitions were broken out of the core Kubernetes codebase in the 1.7 release, to be steered by third-party working groups and special interest groups that could take Kubernetes development in new directions.

Red Hat, for example, leads a resource management working group which introduced an experimental alpha feature in Kubernetes 1.8 that detects the characteristics of node hardware, such as GPUs or NUMA support. When fully developed, this could push Kubernetes further into custom management of specialized workloads.

Calistra said he would welcome specialized workload management as a native feature in Kubernetes. His company places apps manually into a separate cluster built on GPU servers, and "it would be nice to have Kubernetes just know where they are and schedule things accordingly," he said.

Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at [email protected] or follow @PariseauTT on Twitter.

Next Steps

Some organizations braved Kubernetes' early days for production use

One year later, here's the outcome of that experiment

Security, complexity top items on Kubernetes to-do list

Dig Deeper on Managing Virtual Containers