In order to maximize your Kubernetes or OpenShift cluster security, you must protect the hosts themselves and manage their communication patterns. The Aporeto enforcer gives you the capability to protect all your hosts from unauthorized incoming traffic as well as minimize the lateral movement capability of an attacker if they manage to get access to these hosts.
By default in a standard Kubernetes or OpenShift cluster installation, Aporeto recognizes only pods as processing units.
Therefore there is one central component in a cluster that is not going to be protected and recognized by Aporeto: the kubelet.
The kubelet is being installed in both Kubernetes and OpenShift as a system service called either
It essentially means that traffic from the kubelet to pods is not going to be recognized as traffic from an Aporeto processing unit.
This creates a problem for pods that are using
livenessProbe checks - as those are going to be executed by the kubelet on each host.
It is difficult to create good network access policies to allow incoming connections to your processing units from the kubelet because the IP address that will be seen in a rejected flow is the IP of the bridge interface for your pod network on the host - effectively making the rejected flow look like coming from Somewhere in the Aporeto web interface.
Depending on the pod networking technology that you choose, this can be a different IP on every hosts or it can be an IP that you cannot predict at all.
By turning the Kubernetes cluster host into a processing unit, it is now possible to identify the traffic from the health check probes from the kubelet as traffic originating from a Kubernetes cluster host. Furthermore, after activating host mode protection, it is then possible to police every traffic to every Kubernetes or OpenShift cluster component.
Aporeto denies all traffic by default. You must whitelist the necessary traffic before enabling host protection. Otherwise, you may bring down your cluster and lose access to your hosts. Follow our guidance in sequence to avoid interruptions in service.
If you are ready and have understood the purpose and consequences of full host protection, follow one of the two following guides to enable it in your setup: