Zero Trust isn't a buzzword, in the era of the hybrid cloud and the multicloud most companies are changing their approach to security. The Zero Trust model drastically changes the way to secure IT systems, in fact, it assumes that everyone could be an attacker, so every access needs to be authenticated and authorized.
In Kubernetes, every workload can communicate with one another without any restrictions, so Kubernetes doesn't guarantee Zero Trust Security and if you want to achieve it, you need to build or use something on top of the Kubernetes network. A Service Mesh can help you to resolve this problem by managing identity, introducing authorization through mTLS, and defining traffic policies.
Kuma is a mesh control plane for both K8s and VMs with native multi-cloud and multi-cluster connectivity. It was developed originally by Kong Inc then donated to the CNCF (Sandbox project), and now is at version 2.0.
How we can implement Zero trust security with Kuma?
Kuma allows you to manage and issue certificates in a declarative way, you can choose to use the built-in CA or to provide your existing one. In this way, every service in the mesh will have a certificate (identity) and all the connections will be authorized through mTLS. Below you can see how to enable the mTLS policy.
apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: default spec: mtls: enabledBackend: ca-1 backends: - name: ca-1 type: builtin dpCert: rotation: expiration: 1d conf: caCert: RSAbits: 2048 expiration: 10y
Ok, now all the services have an identity but, by default, all the services can communicate with each other, because of an existing Traffic Permission Policy.
apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: name: allow-all-traffic spec: sources: - match: kuma.io/service: '*' destinations: - match: kuma.io/service: '*'
Through this policy, all the traffic is allowed within the Mesh. If you want to enforce Zero Trust, allowing only some specific paths, you should define your own Traffic Policies. An example below:
apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: name: demoapp-to-redis spec: sources: - match: kuma.io/service: demo-app_kuma-demo_svc_5000 destinations: - match: kuma.io/service: redis_kuma-demo_svc_6379
Kuma allows the developer to focus only on the development of the business features, ignoring all the security aspects. In this way, you prevent every team develops its security framework, reducing the cognitive load of every developer and, in a heterogeneous ecosystem, a huge code fragmentation.
Kuma also reduces the manual effort to rotate the certificates when they expire and to provide a certificate for every service of your applications. In fact, when you define the mTLS policy, every service that joins the Mesh will be provided with its own certificate automatically.