Securing AWS EKS with Calico and Kube2iam

As containerized orchestration management solutions have matured due to the needs of businesses deploying their solutions to cloud platforms, feature-rich Kubernetes has stood out against the competition due to its ability to manage complex deployments without much overhead and has become the de-facto industry standard. Until recently, many companies vying to get Kubernetes deployed in their AWS solutions have sometimes experienced challenges in the deployment and maintenance of the Kubernetes clusters. In June 2018, AWS introduced a Kubernetes-specific service called AWS EKS (Amazon Elastic Container Service for Kubernetes), the first AWS-managed Kubernetes solution under the AWS umbrella.

Although this initial implementation has proven quite successful and was lauded by developers who rely on AWS for their operations, it still does not allow for easy integration or management by AWS security management toolsets. Because of this challenge, ClearScale, an AWS Premier Consulting Partner, recently worked with a security-conscious client to overcome this issue by leveraging multiple third-party solutions, including Kube2iam, that would allow for a robust security policy management implementation.

The Challenge – Securing Customer Data

The client was very aware of how potential security breaches could expose their customer information which, as many high-profile instances in the news have shown over the last few years, can be damaging for their core business.

With a very large customer base, the need to migrate to the cloud was overshadowed by the fact that the client absolutely required the security of customer data to be better than what they had previously.

For both the client and ClearScale, implementing their overall solution using the newly launched AWS EKS service was the ideal approach. However, there still existed a gap in how the security of the Kubernetes containers was lacking compared to other AWS services. The traditional tools readily available in AWS for developers to use and enact security protocols did not extend to AWS EKS; although it is likely this deficiency will be remediated by AWS at some point in the future, the client could not wait for that to be introduced.

The Solution

After extensive research, ClearScale has determined that the best approach to filling this gap was to rely on third-party and open-source software solutions. The list was narrowed down to four key solutions which, when combined together, offered the robust security the client mandated.

• Heptio — With close integration with Kubernetes, Heptio was chosen so that it would handle the AWS Identity Access Management (IAM) authorized users and assign them role-based access controls inside of the AWS EKS clusters.

Heptio Diagram

Diagram Source: Amazon Blog, Deploying Heptio

• Calico — Project Calico aims to provide robust security solutions for modern containerized implementations. As such, ClearScale chose to leverage the Network Policy Engine feature because it allowed network isolation and segmentation inside of the Kubernetes clusters and similar to what AWS Security Groups accomplishes.

• Kube2IAM — Because of how AWS EKS manages the individual Kubernetes Pods, they initially all receive the same permission set assigned by the IAM role associated with the EC2 instance it runs on. Since our client required a more granular permission set for each Kubernetes Pod, Kube2IAM was implemented to allow each Pod access through individually assigned IAM roles.

• CNI Plugin — The open-sourced project Amazon Virtual Private Cloud (VPC) Container Networking Interface (CNI) plugin for Kubernetes allowed ClearScale to assign the “real” IP Address to the Kubernetes Pods from the VPC network.

CNI Plugin Diagram

Diagram Source: Amazon Blog, Networking Foundation for EKS

The Benefits

Using Kube2IAM and other third-party solutions allowed ClearScale to deliver a robust, tightly-controlled security environment across both AWS and the Kubernetes pods. Because the Kubernetes Pods are now isolated from one another inside of the EC2 instance, even if one of the Pods were attacked or compromised, the remaining Pods would remain safe because of the security isolation due to each Pod having its own set of permissions. The CNI Plugin provided Kubernetes Pods with optimal performance similar to that of EC2 ENIs (Elastic Network Interfaces). Finally, thanks to Heptio, the AWS EKS deployment was tightly integrated with AWS IAM roles and users providing a full end-to-end security solution for the client.

ClearScale’s process of understanding and documenting customer requirements and breaking down the most complex challenges and needs into substantive, actionable areas of focus has allowed us to consistently be recognized by AWS as being a knowledgeable and trusted partner. ClearScale’s solutions are designed to address clients’ immediate operational concerns, but with an eye toward future growth and needs so that the client will be set up for success in the long term.