Make Kubernetes more secure with HashiCorp Vault

Kubernetes is the defacto standard for container solutions, firms like VMWare¹ or IBM² are currently acquiring companies or startups that are trying to develop their business around Kubernetes.

But Kubernetes is not only modern and cool, it is also a component, that must be secured to prevent attacks and unauthorized access. Companies like Tesla learned on a hard way, that sometimes this will fail.³

More security does not mean to make Kubernetes completely secure, therefore I think many time must be spend in the Security. But tools like HashiCorp Vault can help here to secure some parts of Kubernetes.

With few steps for example you are able to secure your Kubernetes access with Vaults PKI mountpoint. Then you generate short living certificates to access your cluster, in case of an attack on your computer the user gets only a certificate that has expired and gives him no more access to Kubernetes.

Another feature is to secure the generation of certificates for the nodes by HashiCorp Vault. Therefore, HashiCorp Vault brings a secure authentication endpoint for the main Cloud Providers like AWS, Azure etc. Now new starting instances can generate their own certificates and in case on an attack to a node the certificates can be revoked.

But also, if you have secrets that should be accessible by applications running as containers in a Kubernetes cluster you maybe want to have a secure way to store and access them. HashiCorp Vault here can also help with secure ServiceAccount-based authentication and custom opensource tools like Vault-CRD.⁴

Björn is part of a DevOps team at Schenker AG and responsible for the development and maintenance of some Kubernetes clusters. Since 2 years we are migrating applications from some of our own datacenters into the AWS cloud. And 90% of them are migrated also to Kubernetes. 

¹ https://blog.heptio.com/heptio-will-be-joining-forces-with-vmware-on-a-shared-cloud-native-mission- b01225b1bc9e