# Adopting Zero Trust for Kubernetes ![](https://lh3.googleusercontent.com/iuKWv9318jm46EIOjh1uauSwtGlZUBt8rZGS13l7fhI_8fuidgFQFR6JUBRff5Sjyv_yALVWP44HQeQL14Y29TdjyTXtmoGCktrzKC9RLYUwcJumfwKTA8EcNmGo7790Xix0AOkBUtf2Ic_grBzjQ0QgZ8vCXNBGg_0YxZstOm8qRRxbEYQ-AAbIWg) A lot of things have changed as a result of the COVID 19 Pandemic. Due to it, the IT business has had to move at a very quick rate, and now it is common for people to work from home. Now, more than ever before, businesses are working to put into place a variety of security policies and procedures that will ensure the complete safety of their organization's assets. A strategy approach in cybersecurity known as "[Zero Trust](https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/)" protects a business by removing all forms of implicit confidence and continuously validating each stage of a digital connection. This method is designed to keep hackers out. To put it another way, the idea behind this is that you should never believe anything without first checking it out: "Never Trust Always Verify." Utilizing robust authentication and authorization procedures at each level enables the organization to safeguard modern and evolving environments while also facilitating digital transformation. This is one of zero trust's primary purposes. It protects the network in multiple ways, including by segmenting the network, blocking lateral movement, offering [Layer 7 threat prevention](https://datadome.co/learning-center/ddos-layer-7-security-protection/), and simplifying granular "least access" regulations. Traditional security models that are used today are based on the antiquated assumption that everything contained within an organization's network ought to be implicitly trusted. Because of this implicit trust, once users are connected to the network, they have complete freedom to move laterally and access or exfiltrate critical data. There are no granular security measures to prevent them from doing so. The flaws discovered in this system led to the development of the Zero Trust model.  Is the Zero Trust Architecture Really Necessary? ------------------------------------------------ ![](https://lh5.googleusercontent.com/66DQURZwM6JtzfozxhhtdqJNWQNI2MWK65PHhh96PxXBC-UMtkEf67GqmHfbq0DoLgaf_v4u9DFdTBrhAcyvXrjdbuF154IQcfZJH0f3nR9tB7mIeCor1QvIpSKrq-OiD0Wirj17ISjVajF3-G_2mHhjmDV9WTag749f51lbD6N1Qb_p6e04ddVV6g) [Source](https://www.sentinelone.com/blog/moving-to-a-zero-trust-security-model/) The infrastructure of a company today includes Kubernetes, containers, and microservices. These are essentially developed with a variety of different components, including the CI/CD infrastructure and additional features like handling user queries, databases, etc. These components consequently make up a significant part  of an organization's infrastructure. Thus, securing them using the Zero Trust model will benefit both the company and the users. The Zero Trust model adheres to the principle of applying the same security standards to personally owned devices as those controlled by the organization. Devices belonging to the company, as well as those belonging to contractors, partners, and guests, are treated in the same manner regardless of whether the device itself is fully managed by IT or whether only the apps and data are secured. There are some other modifications, such as the implementation of passwordless authentication, which substitutes the conventional password with two or more verification elements, such as single sign-on with two-factor authentication (SSO with 2FA) or an OTP that is transmitted directly to the user's device. Adopting Zero Trust for Kubernetes Environment ---------------------------------------------- When discussing the implementation of Zero Trust on Kubernetes, there are a number of things that must be done, including correct authentication, authorization (which essentially refers to the admission controller), and auditing and logging only for adequate monitoring. There are numerous approaches that can be used. Before anything else, we must properly authenticate all users and verify their roles. These tasks can be completed manually or with the use of a tool. For this tutorial, to locate the bottlenecks in our deployed infrastructure, we will be using [Kubescape Cloud](https://cloud.armosec.io/) by Armosec. ![](https://lh4.googleusercontent.com/BV5umpl4vZVwjjMOo3T0yfbntmP79k2fGSRpF7WFcE4ksB2e2T_4AtR3ESuiXN5cH0PR2tSJndq5BI_zfLQ4OhW5vZoHG_jKL6lD-dR4sK39S4fncPd4shSHj8F-_BtBRDIYH5-QNuIB8sM8xAEbk9Llo2CsuMnI3ZLc8yh8MtuNaQD9okpHw8P59w) Kubescape allows you to perform role-based access control, validate containers that are running with high privileges, and a great deal of other things such as image and repo scanning. So without further ado, let's see how to install and use Kubescape to enforce zero trust on our Kubernetes system. Installing Kubescape is fairly simple - all you need to do is sign up for an account. Signing up can be done in a variety of ways, either through Google or one of the other options available. When you have finished creating your account, you will find that scanning the cluster is a very simple process. Installing Kubescape on your infrastructure is all that is required, after which you will need to submit your scans to the platform. Kubescape will run the scan and the cloud platform will help you visualize the results in a GUI. The installation process of Kubescape CLI can be initiated by running the following command. ``` curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash ``` Once these installations are complete, we will have the correct posture to detect controls that have been placed so that we can implement Zero Trust on our infrastructure. Now, we will be able to conduct an accurate scan of the entire infrastructure. After logging in to your account, go to infrastructure, and then select 'Scan' from the drop-down menu, as shown in the screenshot below. ![](https://lh3.googleusercontent.com/1ukOEv42lorynhjK8s9WEBV4lvm80OgiuCzS-E-DtikWdrDzqTcpd4B40ZVMEpB7f6lgeOi-0ybIgPcQOChTxUMX3223zyFUBEN30jyca7QEGaGW5HBM7LkeuVi3EyrzfJAeK-xfIEEW64mwxSId5oj4zw-alvjqTw_lxRC_zY8lBYtaEu1JIlV-6A) As soon as you click it, it will provide you with two different scanning alternatives. The second choice, in which Kubescape is installed on the infrastructure, is the one I go with. ![](https://lh6.googleusercontent.com/ZIK0nD0idf-yEpJvTJtlngHVTGCxsDBmIKlAOJlnOszRx2cJ9V4OfsageWzfUuvbkjCreks6UcXrI7Kg8qT3cbT6ztRtLsx5cJ9hr0GP9ANAo_w0ZGfl0EiRLLL3coO5YIsQ5oMooiMsT7g5DcO2VwLzBfdjZDULCzL4BNg-fH9-b8a6QN0ljWlqcw) Launch the terminal application on the computer in which Kubescape was installed and type in the following command. ``` kubescape scan --submit --account=<account-id-here> ``` Once this is done, Kubescape will start scanning the whole infrastructure. It will create a map of the organization's whole posture, including all of its deployed components. ![](https://lh6.googleusercontent.com/_pKaMehyUoaM1Fj-seS-KeiBUjn95Hu3YvEz88Sq7DEer3FvliUHIkF9AbTHCtW-zVt4a1plUkRqeG5n1ZjgXV-c3n3gZeOoEKit_uZFJWRU03Izx7hjlIU_07lZ6wAG40sOdROBBCjch06seMQfbJHegS3DY5PI-twj3HzXiKOUR2OJwvk_cO5BeQ) Because we used the submit flag (--submit) along with the command, everything will be submitted to Kubescape Cloud, and we will be able to easily search for each and every thing there. Simply clicking on the link will allow you to visualize the RBAC. ![](https://lh4.googleusercontent.com/ug1yd96qswGUz5SYP_9wob0QektCe0HaZ2IpUecct6ngFGm32bzI2zEIRNoj3F5wLth5FNmzfJWwJG1d3QWTObitd38Rouh_3eXjRP5MQAJjrcYeXinL1b3HNPMaIMjKxnxQKsYfQTu06CXgBcXJkMtvEJs7yND0RTLr6dmsnQJtIjtGVA0Y1MJN7g) You can easily filter different permissions using one of the many filters that are available, such as "who can delete," "who can list," or "who can watch". As a result, you can easily filter your results, which will assist you in applying the appropriate authentication and authorization to a variety of permissions. This directly corresponds to the most important rule of Zero Trust: "Never Trust Always Verify." ![](https://lh4.googleusercontent.com/ZpZiXL8y9lg7XXR8_b4eoP0yhjwfQjaTUvd9cLi8gdOu6-ue2eSG-FxBqmUVHmX3WB-LkiA8PBL2zHMEaz3iWHFCX0h_jNN5Xpm2-NXAdWtT-i9wZ_Nj77q04JzrEUbHgOljC-T57nhaiDYLIUEw8ZozWRmu1CCknNAwelaRPcWXwSHHmJnb1UkGTA) You can apply the Zero Trust policy on the Kubernetes cluster by simply checking the settings on each component individually; ensuring things like whether the appropriate authorization has been set for the whole infrastructure, privileged containers are terminated, and actions that do not meet the criteria of the organization are dealt with appropriatelu. You may even scan your Kubernetes-deployed infrastructure to see whether or not it is compatible with various alternative frameworks. There are a variety of choices when it comes to various frameworks. You even have the ability to tailor your very own framework, which can be set as the rules of Zero Trust. ![](https://lh4.googleusercontent.com/Xa3E9xR75PJ18FepSncEa_YEu0GeqpcOrYRHfvwKOcy6enQo_iNJImDjFvRo2T_5Yp8Q4tcINFlRxdOfM07tcEYRUGx0t5XuGF2BrqWZk5I9Ut_u3YQtFLVnHsQWSHyP2r8suvH5yTGjBnFgnRGVkiMeF09_Uy1B2Ql8vVMMbrc892rL4DJJzl8VVg) To scan using any of the frameworks, you just have to click on the frameworks tab and check the framework whose compatibility you are looking and it's done. It will show you all the controls that have been passed or failed for that particular framework. ![](https://lh4.googleusercontent.com/GKpW2pa_U0g6xD5-LXhiR6QxwiqAjqZJo6oRtbWKqFEh9YEtYGNgpLt-5FRrnb0xDTb7XmBb0PQcP0IhX9u1SRudMPdTECyjW_s4UKPgJ5GqHn4X0GbHuTrDZAwzGzNv7VXpkJ2o-bGGwIcKKHaQbpnyk5MHiWLXrQsqmbHy738v_hc-B9F_7ZwmWQ) ![](https://lh6.googleusercontent.com/r8Bxu5tMtc1urEzK9Ylx9Pp9mSrUzwhnLJU1YoVWAurtannR85ExPeG1z6OZXIJoLXDVAYW3eWH-TfuRf5-dPzzWcuaaGNWyTjAAkpy2_RPNcO_lKmTIdMm2-lS69gvIkX04Zg8ltO9jRxNaTge6zdcn1YAg6tHSzf8dBVqukE--od5hWkT5Hpz2Bw) You can even export the files showing the tests that have been passed or failed so it will be easy for the developer to apply those controls. These are just some of the many helpful functions that are included in Kubescape. It is truly a comprehensive answer to all your frameworks and Zero Trust concerns. Conclusion ---------- The Zero Trust architecture is now a need for most businesses dealing with confidential data and having teams across multiple locations. But, it is not simple to implement Zero Trust without having an accurate picture of the Kubernetes architecture that has been deployed. When you have achieved the correct posture of the architecture, meaning that you have control, privileges, and a container full of other information, you will be able to enforce the Zero Trust structure on those components. As a result, having access to the appropriate software is necessary for having an adequate grasp of architecture.
Last changed by  
Steven Melanson
130

Read more

Introduction to Front End Testing Automation

<span>Photo by <a href="https://unsplash.com/@cgower?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Christopher Gower</a> on <a href="https://unsplash.com/s/photos/testing?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span> Introduction Many people in the IT industry do not usually think from an end-users' perspective when they come up with something new. Obviously, with the domain knowledge that they have got, sometimes it gets challenging to train users, make them understand metaphors, and, more importantly, change their point-of-view. All of this is occurring due to an increasingly day-by-day difference in opinions between developers and users. For that reason, testing bridges the gap between them and provides successful implementation and deployment of a product. This article will specifically focus on User-Interface Testing and how it impacts the overall delivery of an application. Front-End Testing

7/28/2023
Dependency Management and Automation with Renovate

Photo by Adam Kool on Unsplash During the project planning phase, one usually lists all the functional and non-functional requirements along with other parameters. If your application is going to handle a range of different tasks, it is often preferred to use dependencies that serve the purpose and fine-tune them as per your requirements. For instance, consider you're building a coding platform. So what are the components that make up a code editor? (Note that we are talking about the layout and the frontend functioning only, and not considering the complete infrastructure.) The minimum requirements to build a coding platform are as follows: Code editor Preview/output window File structure

7/17/2022
Optimizing Developer Productivity Within Your Team

Photo by Carl Heyerdahl on Unsplash Building and shipping a scalable application includes the sweat & tears of multiple teams. However, the core engineering work boils down to a bunch of developers. The product needs to be built well before it is marketed. So, the foremost factor in building a great product is by bringing the best out of the developers. While user experience (UX) has been the buzz of the tech world for quite some time now, developer experience is the new talk of the town. The productivity of developers is always directly related to building a performant and efficient piece of software. Improving Developer Productivity with Developer Experience Putting it in an abstract manner, everything that removes the verbosity in the development cycle directly or indirectly contributes to the betterment of productivity.

5/23/2022
How to Keep a Kubernetes Pod Secure

Photo by Arnold Francisca on Unsplash Kubernetes security has come a long way since the start of the project. Started by Google in 2014, it has since become a widely popular open source container orchestration system. While this tool has evolved a lot in these 8 years, there are still certain problems that we need to work through on our own. In this article, we will learn how to protect our Kubernetes pods and clusters and discuss some of the Kubernetes security best practices. 1. Enable RBAC Role-based access control (RBAC) is one of the best security practices in Kubernetes, allowing administrators to grant and limit access to certain users and groups, and specify who can and cannot do what on the Kubernetes cluster. To enable RBAC permissions for Kubernetes resources, we must give a role for a namespaced resource and a ClusterRole for a non-namespaced resource to Kubernetes. RBAC adds an extra layer of security by allowing administrators to create administrative rules, give or take permissions, provide access to users, cluster role binding, and allow role binding.

2/10/2022
Read more from Steven Melanson
Published on HackMD