Every Kubernetes developer’s favorite time of year is just around the corner, Kubecon EU 2022! Whether you’re attending in person in beautiful Valencia, Spain, or watching the conference from your couch at home, here are a few reasons why — if you operate any Kubernetes infrastructure — you need Teleport. Teleport is an open source project and CNCF member project that unifies SSH, RDP, Kubernetes, web applications, and database access across all cloud and cloud-native environments.
A cloud-native world
I’ve been around the CNCF for a while now.
Having been a maintainer in Paketo buildpacks and VMware Tanzu in their container build program, I'm always on the lookout for unique solutions to growing pains in the cloud-native space. This is what initially drew me to Teleport. Paketo and Tanzu Build Service bring creative solutions to the source code → application container space. Whereas Teleport brings a revolutionary solution to security for a distributed cloud-native world.
In today’s technology landscape, everyone is moving to cloud-native Kubernetes infrastructure. In 2021 alone the CNCF added over 200 members, a 23% increase since 2020. Everyone is going cloud-native that is, including cyber-criminals. According to a report published by aquasec, there was a 9% increase in Kubernetes environment attacks from 2020 to 2021 and that number is only expected to grow in the coming years.
Luckily as attackers grow more sophisticated, the technological advancements in the security space are also evolving — Teleport is at the forefront of this movement, keeping all of your cloud infrastructure safe and secure.
How Teleport can protect your Kubernetes clusters
Kubernetes and work from home
As technical architecture evolved to be more distributed, so did the workplace. With employees increasingly working remotely on their own machines and networks, DevOps can quickly become a huge pain and security nightmare. I know this from experience. Working remotely with different k8s clusters, hosted on different IAAS’s across dozens of networks and behind several different VPN access points was an absolute nightmare. And this is common practice!
According to the State of Infrastructure Access and Security Report 2021, 60% of organizations are running applications in virtual machines, containers and Kubernetes. In securing this complex infrastructure, 70% of those surveyed are still using passwords, while 53% still use VPNs. This is not only a problem for onboarding complexity (dozens of IT tickets asking for access) but also a huge risk for offboarding.
83% of respondents surveyed in the report cannot guarantee that ex-employees can no longer access their infrastructure. This not only puts your company at risk, but your customers as well! Having a streamlined, real-time approach to onboarding/offboarding individuals both reduces costs and closes the attack opps.
Teleport can — in real-time — stop any access by a user across all clusters via its locking mechanism. This live identity-based access control ensures that you know exactly who has access to what, throughout your entire organization. No more manual password rotation every time someone leaves, and no more managing VPN access points across 10 different regions.
Prevent rogue privilege escalation
One of the largest attack vectors in a Kubernetes environment is rogue privilege escalation by malicious actors. This is a common problem in the cloud-native space.
With Teleport, instead of having shared admin accounts per development team, access is handled with just-in-time privilege escalation that seamlessly integrates with your SSO identity-based tooling. Along with SSO, Teleport also allows you to easily configure MFA and RBAC roles per identity, enforcing the Principle of Least Privilege across your entire organization. Access requests can be approved through a multitude of supported plugins like Slack, keeping things simple and secure.
Secure CI/CD automation
Teleport has extended access for automated tasks with Machine ID, programmatically issuing and renewing short-lived certificates to any service account (e.g a CI/CD server) by retrieving credentials from the Teleport CA. This allows you to configure role-based access controls for any machine in your environment, keeping your pipelines secure without any complex overhead.
Whether you are working with the federal government, in the financial sector or even with your local pediatrician’s office, Teleport makes it easy for your organization to continuously maintain compliance and pass audits with minimal configuration. Teleport supports a multitude of compliance standards out of the box such as SOC2, FedRAMP, HIPAA, ISO 27001, PCI and many others.
Teleport also supports FIPS mode, automatically rejecting any configuration option that is not compliant with FIPS 140-2, eliminating any guesswork in keeping your organization compliant with federal contracts.
Easily maintain accountability and compliance when working in the terminal with session controls. With session controls, you can host moderated sessions, allowing your dev team to easily work together in a secure compliant manner. Whether you are manipulating a cluster with kubectl commands or pair programming in an ssh session, Teleport enforces concurrent session restrictions, proactive session termination and identity locking across your entire infrastructure footprint.
No matter what your compliance requirements are, Teleport’s advanced authorization capabilities are highly configurable depending on your use case, supporting RBAC, per-session MFA and dual authorization for privileged operations.
Visibility and auditing
Another key element of Teleport’s access model is auditing. Providing both a live view and the audit log of every user session and access events for all Kubernetes clusters across all environments, with Teleport’s auditing capabilities you’ll never miss a thing. In fact, every kubectl session is recorded for future replay that easily integrates with anomaly detection tools so you don’t have to constantly have a human eye on things.
Deployment is Simple and Secure with Teleport Kubernetes Access
Yes! It's possible to have both. A simple yet more secure system. We designed our platform centered around developers, because we believe the right thing should also be the easiest thing. Deployed using a Helm Chart, Teleport offers secure access while giving developers the space they need to well… develop! A single identity-based login gives engineers access to all Kubernetes clusters across all environments. This means no more juggling of shared credentials, and hopping between VPNs and access points. Teleport makes it feel like all of your infrastructure is in the same room as you, something sorely needed in these times of distributed computing and working from home.
Meet us at KubeCon EU 2022
Come say hi to us at KubeCon EU 2022 to learn more or even just to chat. We always love meeting new faces (plus we have tons of free swag and are also hosting a raffle to win an Oculus)!
Our booth number is P3.
Also be sure to check out our Happy Hour on Thursday, 19 May 2022 from 7:00pm to 10:00pm. With an open bar and tapas at one of the best restaurants in Valencia, you don't want to miss it.
See you there!
What Are JWTs?
By Victor Elezua
How to Connect to Microsoft SQL Server Remotely Using Teleport
By Travis Rodgers
Directory Sharing in a Web-Based RDP Client Using the File System Access API
By Isaiah Becker-Mayer