Zero Trust: Your key to a secure future in a Kubernetes world and beyond
Take a moment to think about your Kubernetes cluster. Imagine an uninvited guest finds a way in. Do you know exactly what they can access? Or even worse, if they manage to sneak into one of your containers, what’s the risk? This concern isn’t just theoretical; the reality shows that threats to our digital ‘castles’ are growing as more companies move their operations online.
Reading time: 7 minutes
Research reveals a growing trend: More companies recognize the need for Zero Trust. Yet, many face significant challenges when implementing it—nearly half of all businesses see it as a major hurdle.
Traditionally, a solid external firewall was considered sufficient defense. A single wall, one key, one barrier—that was all we thought it took to keep the enemy out. But times are changing, and this strategy no longer holds up.
We increasingly hear about companies losing data or falling victim to ransomware because their internal defenses are simply too weak.
The digital castle
The analogy of an old-fashioned castle is quite fitting. Picture a fortress with a single bridge across the moat. With soldiers inspecting everyone who crosses the bridge, you feel secure—until an enemy finds a way inside. Suddenly, nothing is safe; the enemy can roam freely, looting everything from small trinkets to the kingdom’s crown jewels.
This is where the Zero Trust strategy comes into play—a modern approach that protects your digital castle far more effectively. With Zero Trust, we assume the enemy may already be inside the walls. Instead of focusing all security at the gate, Zero Trust ensures that every single movement within the castle requires new authorization—no one is allowed to move freely without the proper permissions.
So, what exactly is Zero Trust?
Zero Trust is based on the principle that someone will always find a way past our digital walls—our firewalls. Starting from this assumption, we take precautions to ensure we know exactly what to do if an uninvited guest does make their way in. This principle is often referred to as ‘assume breach,’ meaning we operate under the assumption that our defenses have already been compromised.
In a Zero Trust model, everything is locked down, and every single access attempt requires verification. This involves carefully reviewing users and their permissions, ensuring that only the most essential privileges are granted. It guarantees that the right people, under the right conditions, have access to the right data—no more, no less.
The reinvented castle
Let’s return to our castle analogy. With Zero Trust, the castle would be divided into several smaller sections, each secured with its own locked door. Only those with a legitimate purpose (and the necessary permissions) can move from one area to another. This adds an extra layer of security, as an intruder can no longer roam freely and exploit the system’s resources.
Fortunately, implementing the Zero Trust principle in the IT world is far less complex than it would be in a physical castle. By leveraging modern technologies and strategies, we can build a digital infrastructure where security is embedded at every level, and every action requires identity and permission verification.
-
Without Zero Trust security
- Trust is often granted implicitly, based on user location and network context.
- Focus on a strong external perimeter, with less emphasis on internal segmentation.
- Typically uses single-factor authentication and assigns broad access rights based on roles.
- Access rights are often predefined and may be broader than necessary.
- Less intensive monitoring, primarily focused on external threats.
- Access is granted based on user roles and location, without detailed contextual evaluation.
- Encryption may not be consistently implemented, potentially exposing data to risk.
-
With Zero Trust security
- All users and devices are treated as potential threats, and access requires contextual authentication.
- Microsegmentation isolates and limits the movement of threats.
- Requires multi-factor authentication as a standard.
- Access rights are granular and follow the principle of least privilege.
- Continuous monitoring of user behavior and network traffic for suspicious activity.
- Access is granted based on contextual factors such as user behavior, device state, and location.
- Encryption is applied to protect data both in transit and at rest.
Security
It’s not just about how someone gets in, but what happens once they’re inside. With Zero Trust, a firewall is applied to everything, ensuring that only what is necessary is opened.
In general, security has become increasingly complex, and Zero Trust helps simplify it with a strategic process and automated tools that verify all activities, grant access only to what’s needed, and leverage advanced threat detection and response.
KvalitetsIT’s work
Instead of manually changing settings across multiple locations via a user interface, we use a configuration file (Configuration-as-Code, or CaC) that is automatically deployed and applied to all the correct locations.
Typically, we establish something like the following:
- Firewall between all services, so access must be explicitly opened.
- Authentication between all services, ensuring access is granted only to the right users with the appropriate roles.
- Internal TLS for tools like Kafka and Postgres, securing communication with queues and databases.
- TLS v1.3 from www to public services (we also allow TLS v1.2, depending on customer requirements).
- WireGuard encryption for network traffic between all VMs.
- Data encryption on disk.
As shown, there are multiple layers of “locks” in this setup—much like the castle analogy.
More concretely, KvalitetsIT typically does the following:
- We install and configure a firewall between all services. By default, nothing is open. We typically use Calico for this.
- We open access for services, not ports.
- We authenticate all service calls, which can be role-based or even more fine-grained if needed. Typically, we use Keycloak and OIDC for this.
- All communication is protected with TLS v1.3, including internal communication wherever possible.
- All network traffic between VMs is encrypted with WireGuard.
- Data on disks is encrypted when relevant.
- Automating the setup of all the above is key to making it work in practice. Everything is managed through configuration files and kept under version control, typically using GitHub.
Network policy
An example of a configuration we work with is the configuration of the firewall (network policy). It specifies that traffic is allowed to enter from the internet (ingress-nginx) and infrastructure for collecting metrics, and traffic is allowed out for DNS lookups and message queues (Kafka). Everything else remains closed.
netpol:
ingress:
ingress-nginx:
namespaceSelector:
kubernetes.io/metadata.name: kube-system
podSelector:
app.kubernetes.io/instance: rke2-ingress-nginx
ports:
8080: TCP
metrics:
namespaceSelector:
kubernetes.io/metadata.name: infrastructure
ports:
8081: TCP
egress:
dns:
ipBlock: 10.43.0.10/32
ports:
53: UDP
kafka:
namespaceSelector:
kubernetes.io/metadata.name: message-streaming-services
podSelector:
strimzi.io/cluster: test2
strimzi.io/kind: Kafka
ports:
9093: TCP
When looking at the above example, it becomes clear that automation cannot be underestimated. There are numerous components that each need to be opened to ensure the entire system functions properly.
If this is done manually—and maintained manually—it becomes an enormous task, and the risk of human error is high. If a mistake is made, it’s incredibly helpful to simply roll back to a previous version with a single click, rather than struggling with Word documents and backup files to restore an earlier state. With automation, you can revert to the previous version in minutes instead of hours.
We implement Zero Trust with Kubernetes, using container-based applications that make it easier to manage and monitor security.
We have implemented Zero Trust for municipalities, regions, and both small and large private businesses, across various industries—including healthcare.
Managing security isn’t always easy, and sometimes you may find yourself handling everything manually because it feels less complicated than setting up a system to do it for you. That’s why you can leave the overall setup to us, so you can focus on what matters most to your business.
Are you ready to take security to the next level and protect your Kubernetes cluster from unwanted visitors? Contact KvalitetsIT at +45 51148767 for a no-obligation conversation about how we can implement a Zero Trust architecture in your organisation. Security is a journey, not a destination, and with Zero Trust, you’ll always stay one step ahead of the threats.