Today we are announcing a series of enhancements to our existing Kubernetes solution within Banyan – one-click Kubernetes API access, OIDC authentication, and role-based access controls for specific API actions. When managing Kubernetes clusters, the Kubernetes API essentially becomes the front door into all of an organization’s infrastructure. With our latest release, developers can now be given one-click access to Kubernetes clusters across managed and hosted deployments while IT can sleep peacefully knowing that the organization’s security posture has been elevated. Let’s dive deeper…

Protecting the Kubernetes API in today’s world

As Kubernetes adoption continues to increase, organizations are looking for the right tools to protect cloud-native infrastructure, regardless of location. Accessing the Kubernetes API is most commonly done via the Kubernetes command-line tool, kubectl, which becomes a prime entry point for attackers.

So how are organizations currently protecting access to specific Kubernetes APIs?

This is commonly achieved by ensuring the API server is locked down at the network level to only allow access from a single source IP and by requiring a VPNC client on each device connecting to multiple VPN gateways. Every major cloud provider also has their own identity provider that is used for API server authentication.

Here are some of the many challenges organizations face with this model as they strive to get to a state of Zero Trust:

  • Significant management overhead to extend K8s authentication and authorization to work with the enterprise IDP:
    • Managed offerings (AWS, GKE, DigitalOcean, etc.) usually require using the cloud provider’s native IDP for Kubernetes access, including setting up all new RBAC policies
    • Hosted distributions allow configuring the cluster to integrate with an organization’s existing IDP, though it’s cumbersome to set up and the KubeConfig files for authentication typically need to be distributed manually
  • Setting up and maintaining role-based access controls is a burden
  • Supporting both managed and hosted Kubernetes requires modifying the API server to use environment-specific authentication settings
  • Unable to ensure that device security posture is factored into access decisions

Modern applications need modern approaches to secure access

Cloud-native workloads are lightweight, elastic, and increasingly managed by Kubernetes services such as Anthos, OpenShift, and Rancher. If clusters can be managed across multiple clouds and on-premises, then we believe secure access to these clusters shouldn’t be dependent on location either!

Kubernetes blog diagram 2

Customers leveraging Banyan to secure Kubernetes API access have been able to improve developer satisfaction and productivity by reducing the labyrinth of steps to access each host, server, and app down to a one-click access experience. From an admin’s perspective, they are no longer managing multiple identity tools and can leverage short-lived certificates to ensure developers have the right permissions and are using protected endpoint devices before interacting with the organization’s Kubernetes environments.

See Banyan in Action

As you may have heard, we love dogfooding here at Banyan Security. We have been using our product to protect Kubernetes API access for our own developers to reap the same benefits we preach!

Let’s see what this could look like for your organization:

With a single click of the “Connect” button, we are able to:

  • Leverage a short-lived X.509 certificate obtained by IDP authentication to set up a secure MTLS tunnel with the access proxy
  • Leverage Banyan’s OIDC capabilities to issue a JWT token used to authenticate with the K8s cluster
  • Validate the user’s roles and TrustScore service policies configured via the Banyan Command Center
  • Create a new kubeconfig file with the appropriate cluster details

Getting Started Today with Zero Trust for K8s API

All of the functionality discussed above is available today. To enable one-click Kubernetes API access for your development teams, simply log into the Banyan Command Center, register a new Service type of “Kubernetes”. Let us know what you think! Or better still, reach out and let us demo it for you.