![]() Working with upstream SIGs to support the changes we’ve made to the Kubernetes components.However, we are committed to working towards a range of different goals, including: Undoubtedly, there is still a lot of work to get a wider adoption of this. Learn about confidential computing and how it applies to the Kubernetes Control Plane in managed clusters in this tutorial by our CTO, Dinesh Majrekar. The allows for pre-existing code to be run within an enclave and benefit from its built-in features, such as generating the necessary signing keys for cryptographic verification when the code is loaded. The demo uses a library OS from the Occlum project to wrap the API components. You will then see that the kubectl behaves as expected, allowing us to spin up new components. In the video tutorial below, I will demonstrate how we can secure Kubernetes API with Intel SGX by spinning up a new server using Kubeadm, then moving the API components of the controller, scheduler, and manager over into an enclave. Securing Kubernetes API with Intel SGX demo The image above compares the traditional approach of running everything within a container (on the left) and a new approach where each customer has their own API servers and controller running within individual enclaves, providing them with their own attestation capabilities (on the right). Once in an enclave we can continuously attest that the control plane components such as the kubernetes API server is the same version we initially started. What SGX allows us to do is move these components from traditional isolation solutions such as containerisation, into enclaves. By implementing enclaves, cloud providers can better ensure the security and integrity of their control planes, giving end-users greater peace of mind and confidence in their cloud services. SGX enclaves offer a solution to two significant issues that currently exist with control planes: breach vulnerability and lack of code verification. We can do this as an end-user on the system directly or remotely, which is called attestation. Not only is the data protected at runtime, but we can also externally attest that the code and config in that enclave is valid at any point. This is called an enclave and provides more security around what is running in that program. ![]() These are then given to the CPU, which creates an isolated bit of memory that only the CPU with that key has access to read and write from that area of memory. With SGX, when a piece of code starts running, a cryptographic key is created for the program and the data used to load that so any config files. SGX stands for Software Guard Extensions and allows data isolation at the CPU level. This is where technology from Intel called SGX comes into play. Unfortunately, as end-users, we often lack visibility into these issues, as the managed components are effectively a black box. In some cases, insecure components have been running within the managed clusters, leading to data breaches and other security vulnerabilities. However, recent security breaches have highlighted the risks associated with relying on almost vendor-managed components. As a result, most businesses don’t get much value from running Kubernetes themselves, resulting in a move towards managed Kubernetes clusters. Running Kubernetes and running infrastructure on top of Kubernetes are two distinct challenges. ![]() SaaS providers, in particular, have recognized the power of Kubernetes and are leveraging it to power their software under the hood. It provides a platform for automating, deploying, and scaling containerized applications, making it an essential tool for managing complex infrastructure. Kubernetes has emerged as the future of cloud computing, and its popularity has skyrocketed over the years. However, despite this shift, Kubernetes will continue to play a crucial role in the background of many cloud-based companies. Why modern security solutions are non-negotiableĪs technology advances and the demand for more efficient web solutions increases, the industry is shifting towards a no-code approach where developers and businesses can create and deploy applications with little to no coding experience. Join me as I explore the concept of confidential computing and a new use case we at Civo have been working on related to the Kubernetes control plane in managed clusters. With this being said, we must begin to pay closer attention to the security surrounding cloud computing, especially when it comes to Kubernetes. Security in the cloud has become an increasingly important topic over the years, with the move to more managed services, additional trust is being handed over to cloud providers.
0 Comments
Leave a Reply. |