Securing Pods in Azure Kubernetes Service

1. Pod security with Azure Policy

2. Using Azure Active Directory Pod identity

  1. Cluster operator first creates a service account that can be used to map identities when pods request access to services.
  2. The NMI server and MIC are deployed to relay any pod requests for access tokens to Azure AD.
  3. A developer deploys a pod with a managed identity that requests an access token through the NMI server.
  4. The token is returned to the pod and used to access Azure SQL Database.

3. Network Policies for securing traffic between pods

  • Azure’s own implementation, called Azure Network Policies.
  • Calico Network Policies, an open-source network and network security solution
  • Creates a virtual network and subnet.
  • Creates an Azure Active Directory (Azure AD) service principal for use with the AKS cluster.
  • Assigns Contributor permissions for the AKS cluster service principal on the virtual network.
  • Creates an AKS cluster in the defined virtual network and enables network policy.
  • The Azure Network policy option is used. To use Calico as the network policy option instead, use the network-policy calico parameter. Note: Calico could be used with either network-plugin azure or network-plugin kubenet.

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store