Security Containerized Workloads in IBM Cloud Using Aporeto
By: Chris Rosen
Security Containerized Workloads in IBM Cloud Using Aporeto
This blog was co-authored with Amir Sharif, co-founder of Aporeto. We’re excited to bring Aporeto’s capabilities to IBM Cloud Container Service, providing choice and flexibility to our users.
About IBM Cloud
IBM Cloud (formerly IBM Bluemix) provides users with a variety of compute choices as well as over 170 IBM and third-party services. IBM Cloud Container Service combines Docker and Kubernetes to deliver powerful tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications all while leveraging Cloud Services including cognitive capabilities from Watson.
Aporeto is a Zero Trust security solution for microservices, containers and cloud. Fundamental to Aporeto’s approach is the principle that everything in an application is accessible to everyone and could be compromised at any time. Aporeto uses vulnerability data, identity context, threat monitoring and behavior analysis to build and enforce authentication, authorization and encryption policies for applications. With Aporeto, enterprises implement a uniform security policy decoupled from the underlying infrastructure, enabling workload isolation, API access control and application identity management across public, private or hybrid cloud.
Because Aporeto transparently binds to application components to provide them with identity, the result is security independent from infrastructure and network and reduction of complexity at any scale on any cloud.
Aporeto is simple to deploy and operate:
Pick an application and visualize it;
Generate and simulate security policy;
Enforce the security policy.
You can visualize the application of your choice by deploying Aporeto as a Kubernetes DaemonSet. If you control the virtual machines on which your application component run, you may also deploy Aporeto as a Docker container or a userland process.
Aporeto auto-generates application security policy by ingesting Kubernetes Network Policies. You also have the option of leveraging your application dependency graph that Aporeto creates to describe the application’s behavioral intent as policies. In every case, you may audit and edit auto-generated policies and inject human wisdom when necessary.
Once you have policies, you may simulate their enforcement at runtime to evaluate the effects of your security policies without interrupting operations. When satisfied that your security policies are solid, you may lockdown your application and protected it with a Zero Trust approach.
Because Aporeto untethers application security from the network and infrastructure, one key benefit of Aporeto’s approach for protecting your containers, microservices and cloud applications is that you can have a consistent security approach even in a hybrid or multi-cloud setting. As you gain experience with Aporeto in a single cluster setting, you will quickly realize how easy it is to have a consistent security posture in multi-cluster and multi-cloud settings without any infrastructure or operational complexity.
Setting up a Kubernetes cluster in IBM Cloud
The first step is to create a IBM Cloud account. After you’ve successfully logged in, the left-hand navigation will take you to Containers.
Select the Kubernetes Cluster icon. We’re going to create a standard cluster below. To create a standard cluster, set the following parameters:
Machine type – a flavor with pre-defined resources per worker node in your cluster
Number of workers – 1 to n based on capacity requirements, and can be scaled up or down after the cluster is running
Private and Public VLAN – choose networks for worker nodes (we’ll create for you if you don’t have any yet)
Hardware – clusters and worker nodes are always single-tenant and isolated to you, but you can choose the level of isolation to meet your needs (shared workers have multi-tenant hypervisor and hardware whereas dedicated worker nodes are single-tenant down to the hardware level)
See the IBM Cloud documentation for more details on cluster creation. Once you are satisfied with your selections, click on the Create Cluster button.
To create a cluster from the command line, use the following command:
bx cs cluster-create –name –location –workers 2 –machine-type u1c.2×4 –hardware shared –public-vlan –private-vlan
You can install Enforcerd as a Kubernetes daemonset using the docker image. This section explains how to install, register, and run enforcerd as a Kubernetes daemonset.
Prerequisite – Account Registration
Prior to following this guide to install the Aporeto Enforcer on your Linux and Kubernetes compute platforms, register your account at https://console.aporeto.com/register/. Once your registration has been accepted, you will receive an email to activate your account along with instructions on accessing the Aporeto Service.
apoctl is the command line interface (CLI) that allows you to interact with the Platform. Make sure you have it installed correctly before going further.
apoctl is a self-contained binary that runs on most Linux distributions.
Install apoctl on Linux
% sudo curl -o /usr/bin/apoctl https://download.aporeto.com/files/apoctl/linux/apoctl % sudo chmod 755 /usr/bin/apoctl
Install apoctl on macOS
% sudo curl -o /usr/bin/apoctl https://download.aporeto.com/files/apoctl/darwin/apoctl % sudo chmod 755 /usr/bin/apoctl
Get an authentication token
In order for apoctl to perform actions on your behalf, you must provide it with a token. apoctl gets its token by reading the content of the $APOCTL_TOKEN environment variable. You can override this variable at anytime by using the –token or -t parameter.
To get a token using your Aporeto account, run the following command:
% apoctl auth aporeto -"account <your-account-name> -e Aporeto account password: <type your password>
https://youtu.be/GDRKoxIqwp4 (install via command-line)
https://youtu.be/NmcyrIUIc3k (install via web interface)
Aporeto automates authenticating & authorizing your Kubernetes clusters via secrets/certificates and adds a Kubernetes-specific agent.
kubesquall runs as a replicaset and reads events and information from Kubernetes.
enforcerd runs as a daemonset and enforces security policies on each Kubernetes node.
Register your Kubernetes cluster in the Platform
You need to declare your Kubernetes Cluster in the Aporeto first. This will install various policies, an Enforcer Profile, and will generate a bundle you can use to deploy everything in a few seconds.
% apoctl account create-k8s-cluster my-first-cluster Kubernetes cluster created in namespace /<your-account-name> Kubernetes configuration bundle written in ./my-first-cluster.tgz
You can see that apoctl created a tgz bundle containing everything you need to securely install Enforcerd and kubesquall on your Kubernetes cluster.
The downloaded tgz file is keyed to a single Kubernetes cluster. Do not apply this file to more than one Kubernetes cluster. To secure multiple Kubernetes clusters, repeat these step for each one of them.
First, extract the content of the archive file.
% tar -xzf my-first-cluster.tgz
Then, run kubectl create on all of the yaml files from the archive file. This will trigger the automatic deployment on Kubernetes.
% kubectl create \ -f aporeto-secrets.yaml \ -f aporeto-cm.yaml \ -f aporeto-enforcer.yaml \ -f aporeto-kubesquall.yaml
configmap “aporeto-cm” created daemonset “aporeto-enforcer” created replicaset “aporeto-kubesquall” created secret “aporeto-secrets” created
You can make sure everything is up and running by checking on the running pods on the kube-system namespace.
% kubectl get pods -n kube-system | grep aporeto
Verify Enforcerd is running
You should be able to see the Enforcerd instance in the running state in the Aporeto web interface, under the Enforcers section.
Congratulations! Enforcerd is now running correctly as a Kubernetes daemonset! You can now view the Platform page in the Aporeto web interface to visualize your services, their contextual identity, and network flows.
IBM Cloud Container Service makes it easy to set up a Kubernetes cluster to host your containerized applications. When running such applications in production, security is required to ensure that applications are safe and communicating properly. Aporeto provides stronger, simpler to operation security for your containers, microservices and cloud applications that is untethered from the infrastructure and network. Learn more about Aporeto solutions or view our On-Demand product demonstration.