2

I'm setting up an EKS cluster on AWS and I want to secure all the data in flight in the Kuberentes cluster (and also between EKS and external systems but thats out of scope here).

In Kubernetes are different protocols in use between the different pods, mainly Rest/HTTP but also communication between microservice-pods with a KafkaBroker and JDBC between microservice-pods and database pods (Zalando Postgres), between a filebeat-pod and elasticsearch, ...

I see several options but I don't like any of them.

  • Encrypt every communication individually --> too much work. operational nightmare
  • Istio or LinkerD --> Works only for Http and gRPC, not for KafkaCommunication. Heavy ControlPlane.
  • a CNI like WeaveNet --> no support for SecurityGroups, FlowLogs, ACLs

Are there better alternatives? Would you recommend any of these options?

christian
  • 9,412
  • 10
  • 41
  • 51
  • Why don't throw a container or a lambda function in front of the cluster and do all the heavy work on it? – Stargazer Mar 29 '19 at 19:18
  • @Stargazer if using a lambda function the communication between the EKS cluster and lambda function will not be encrypted if the underlying protocols are kept. Plus this would require changing the entire networking flow to push packets into the lambda – asdf Mar 29 '19 at 22:03
  • 1
    Note that Istio supports encrypting traffic for any TCP protocol. – Vadim Eisenberg Mar 30 '19 at 04:33
  • @VadimEisenberg I've seen that, but I've also seen issues that the kafka protocol doesn't work with istio. I have to look into that again. Thank you. – christian Mar 31 '19 at 06:15
  • @christian Istio cannot understand the Kafka protocol, however I think Istio can handle Kafka as plain TCP. – Vadim Eisenberg Mar 31 '19 at 13:31
  • @VadimEisenberg as I understand it now, istio doesn't understand the kafka protocol and isn't able to handle errors, gather metrics, ... but might be able to encrypt the traffic on the tcp layer. – christian Mar 31 '19 at 17:47
  • @christian good, I am glad the issue is clear now. – Vadim Eisenberg Mar 31 '19 at 20:45

1 Answers1

3

One possible solution could be using a nginx sidecar reverse proxy on all your pods to capture all outbound traffic in conjunction with nginx's proxy_protocol directive to operate with ELBs and other load balancers.

You can accomplish this by modifying the iptables (or whatever SDN/pattern you choose to use in your setup) to force all outbound traffic into the reverse proxy instead of sending it out to the internet. You then use directives within proxy_protocol to force all upstream TCP connections to use SSL using a certificate defined by the reverse proxy for encryption.

This should work for the protocols you defined since they're all based on TCP.

asdf
  • 2,927
  • 2
  • 21
  • 42
  • thank you @asdf. This sounds like a feasible solution but also like a lot of work. Maybe I'll look into istio again. – christian Mar 31 '19 at 17:54