by Amir Sharif, Co-Founder, Aporeto
Editor’s note: On November 6th, 2018, VMware renamed VMware Kubernetes Engine (VKE) to VMware Cloud PKS. To learn more about the change, read here.
VMware Kubernetes Engine (VKE) is Kubernetes-as-a-Service offering in the growing VMware Cloud Services SaaS portfolio. VKE is a fully managed, enterprise-grade Kubernetes-as-a-Service offering that is cost-effective, easy to use, and integrates with cloud-native solutions, such as Aporeto. VKE is available on AWS and will later be available on Azure as well as additional cloud environments.
VKE is differentiated on three core value propositions. The first is VMware Smart Cluster™, which eliminates the need for pre-provisioned nodes by automating the selection of compute resources, optimizing for deployed application usage, reducing customer cost, and improving capacity planning. The Smart Cluster is a fully CNCF compliant Kubernetes that implements best practices for security and high-availability in the public cloud. Second, VKE has a simple tree structure to ease the management of clusters by organizing resources into logical containers and applying consistent access policies on containers (nodes of the tree), inheriting those recursively through the tree and into the Kubernetes RBAC itself. Third, the distributed control plane of VKE is multi-cloud ready and designed for Kubernetes application portability across public clouds, giving you the freedom to deploy on any or all supported cloud providers. VKE is in public beta; try it out by going to this link.
Aporeto’s security offering is built with similar value propositions. Namely, Aporeto works based on intent-based policies, or policies that describe the desired network security policy of your application at runtime. Second, Aporeto offers a namespace hierarchy, where policy can be ascribed on any level in the hierarchy and propagated downward as immutable rules. Third, Aporeto decouples security from the infrastructure, allowing the customer to have uniform and portable policies in a multi-cloud environment.
This blog post focuses on providing centralized security and monitoring for VKE clusters, whether they are on AWS or in a multi-cloud infrastructure, in a manner that is easy to deploy and manage. By following the four steps in the blog below, you will learn how to easily enforce network and service layer access policies in your VKE cluster with Aporeto. You may extend these policies in a multi-cloud environment and extend them to legacy workloads without any network configuration or code modification.
The Aporeto solution decouples network security from the underlying network infrastructure. It replaces network firewalls, ACLs, and similar networking constructs with an identity-centric security mechanism. Every container or process is automatically associated with a multi-attribute identity that captures an application’s characteristics, environment, and security posture. Network security is enforced transparently to applications through end-to-end authentication, authorization, and encryption, and without requiring any development process modification. The Aporeto identity-based approach enables enterprises to implement a uniform security policy decoupled from the underlying infrastructure.
How Aporeto works
- Ingest developer metadata and/or visualize applications;
- Generate and simulate security policies;
- Enforce security policies.
You can visualize the application of your choice by deploying Aporeto as a DaemonSet on VKE.
Aporeto auto-generates L3 security policies by ingesting Kubernetes Network Policies. Taking a service-centric approach, Aporeto auto-discovers Kubernetes services and allows you to define additional L4-L7 policies. For instance, you can transparently insert end-to-end API authorization into your security workflow. You also have the option of leveraging your application dependency graph that Aporeto generates to describe your application’s behavioral intent as policies.
In every case, you may audit and edit auto-generated policies and inject human wisdom as necessary. Once you have policies, you may simulate their enforcement at runtime to evaluate their effects without interrupting operations. When satisfied that your security policies are solid, you may lockdown your application and protect it with a zero-trust approach.
A key benefit of the identity-centric approach is that you can enforce a consistent security approach even in a hybrid or multi-cloud setting. As you gain experience with Aporeto in a single cluster setting, you will quickly realize how easy it is to have a consistent security posture in multi-cluster and multi-cloud settings without any infrastructure or operational complexity.
4 Steps to Enforce Network and Service Layer Access Policies in VKE Clusters
Step 1: Prepare the VKE environment
Create a VKE folder and project as in the standard VKE workflow and create a corresponding Smart Cluster. You can choose the production cluster type if you need HA or development if HA isn’t important.
Step 2: Setup the Aporeto Environment
Using a browser login, go to https://console.aporeto.com/ . You can map your VKE hierarchy to an Aporeto namespace hierarchy by creating the corresponding Aporeto namespaces. For example, you can associate your VKE folder with a namespace, then create children namespaces for each of your projects. You can use the Namespace Setting tab for these actions. Once you have created the corresponding namespaces, navigate to the project namespace. Then, select and expand “System” and then select “Kubernetes Clusters.” Click on the “+” icon (top right). Give the cluster the same name as your corresponding VKE cluster and leave all defaults as they are. Click “create.” This action associates a Kubernetes cluster definition in the Aporeto system with your VKE cluster. It automatically downloads a file with all the necessary Kubernetes definitions on your desktop as <cluster-name>.tar.gz.
Step 3: Join the VKE Cluster to Aporeto
Extract the contents of the downloaded zip file and, after you have properly configured kubectl, create the corresponding Kubernetes resources using the provided YAML definitions.
Step 4: Roll Up Your Sleeves and Dig in with a Demo App
Clone the github repo https://github.com/aporeto-inc/apowine.git and then follow the instructions in the README.md file. By following this tutorial, you will learn how to enforce network and service layer access policies in your VKE cluster.
Work with Your VKE Cluster with Aporeto Security
Now that you have connected your VKE Kubernetes cluster to Aporeto, you can visualize it in real time and on a historical basis by using the Aporeto UI. To learn more, visit the VMware Solution Exchange, or VSX, and search for “Aporeto.” You may get more information on Aporeto by reading the Aporeto blog and signing up for a trial account. Besides visualizing and securing your VKE workload, you can also connect your private cloud workload to your Aporeto account and view your distributed application’s end-to-end operations centrally.
You can find instructions for connecting non-VKE workloads to Aporeto by perusing the document set in https://console.aporeto.com/accounts/welcome (click on “Switch to Accounts” on the top right corner to the immediate right of the “?” mark icon). As always, you can request support directly in Aporeto’s Console.
With VKE, Aporeto’s powerful security capabilities unlock the following use cases, among others:
- Network segmentation and workload isolation for cloud-native and legacy workloads, reducing compliance scope.
- Transparent encryption without code or network modification
- Uniform API access control policy across services in public or private cloud
- Continuous vulnerability analysis of container images
- Runtime threat detection and protection based on behavioral analysis
- Capability to expand in a multi-cloud service mesh by integrating Istio in the enforcement layer, giving you granular access control for Zero Trust security
To learn more, visit https://www.aporeto.com/demo/
To try VKE beta, sign up at https://cloud.vmware.com/vmware-kubernetes-engine