Kubernetes Security with Identity and OIDC

05/29/23 • 38 min

I interview Marc Boorshtein, the CTO of Tremolo Security, an open-source identity management company that focuses on authentication, authorization, identity, and automation. Marc explains that their most popular tool is Open Unison, which allows users to log in to their Kubernetes clusters with whatever authentication system they have, such as LDAP, AD, Okta, or Azure AD. Open Unison also provides secure access to the dashboard and integrates with other cluster management applications.

Next up we shift over to the issue of certificate revocation in Kubernetes. Marc explains that Kubernetes doesn't know how to handle certificate revocation, which can be a security risk if a certificate is leaked or an employee leaves the company. He recommends using OpenID Connect or impersonation to access the cluster instead of relying on certificates. Marc also discusses the default time to live on service account tokens issued by the Kubernetes cluster and the importance of not using service account tokens when talking to clusters

This episode provides insights into the challenges of identity management with Kubernetes and strives to help you improve the security of your Kubernetes clusters.

This episode provides insights into the challenges of identity management with Kubernetes and strives to help you improve the security of your Kubernetes clusters.

Previous Episode

Migrating to Kubernetes

In this episode, Rachel shares her journey into tech and how she ended up in the Kubernetes space. She did not have a traditional IT background, but she was always interested in computers and programming. As soon as she discovered the DevOps philosophy and movement, she knew that it was the right fit for her. She went down the rabbit hole of learning how to use Docker, Ansible, Chef, and Kubernetes, and eventually landed a job at Fairwinds, a Kubernetes-centric company.

Rachel discusses the challenges that come with adopting Kubernetes, such as the steep learning curve and the knowledge gap. There are many unknowns if you are not in the Kubernetes space and it can be overwhelming to configure to produce a valuable platform for your teams.

Rachel's journey into the tech space and her experience with Kubernetes provide valuable insights into the challenges and benefits of adopting and migrating to Kubernetes.

Rachel Sweeney is the tech lead at Built Technologies for their migration to Kubernetes. Prior to that she was a tech lead at Fairwinds, a Kubernetes SaaS and consulting company, and before that she worked at the Pew Research Center creating their Kubernetes cluster and migrating workloads to it.

She has been a speaker and panelist at various conferences and events ranging from DevOpsDays Philly to Container Journal, and also wrote a chapter for the O’Reilly title “97 Things Every Cloud Engineer Should Know: Collective Wisdom from the Experts”.

Rachel loves traveling, culture, meeting new people, networking, and helping others grow. Feel free to reach out on LinkedIn with a message and connect!

Creators & Guests

David Flanagan - Host
Rachel Sweeney - Guest

Next Episode

Event-Driven Architectures at Wix

In this episode of the Cloud Native Compass, host David Flanagan interviews Natan from Wix Engineering about event-driven architectures.

Natan shares his experience as a software engineer for almost 20 years and how working at Wix has improved his engineering skills. Wix has a powerful website building platform that has enabled people with different skill levels to build websites. They have expanded their reach from self-creators to agencies and web professionals and created a whole ecosystem platform. Wix has around 2,500 microservices in production, even more added every week, and they have a lot of visitors, around 1 billion unique visitors every month, which gives more than 500 billion HTTP requests per day and 70 billion Kafka events produced every day.

Let's learn how Natan and Wix build for success at some pretty stagger numbers.

Creators & Guests