Cargando…

Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN

The CMSWEB cluster is pivotal to the activities of the Compact Muon Solenoid (CMS) experiment, as it hosts critical services required for the operational needs of the CMS experiment. Lately, CMSWEB has migrated from the VM cluster to Kubernetes (k8s) cluster to enhance sustainability, reduce operati...

Descripción completa

Detalles Bibliográficos
Autor principal: Ali, Aamir
Lenguaje:eng
Publicado: 2022
Materias:
Acceso en línea:http://cds.cern.ch/record/2826676
_version_ 1780973849415778304
author Ali, Aamir
author_facet Ali, Aamir
author_sort Ali, Aamir
collection CERN
description The CMSWEB cluster is pivotal to the activities of the Compact Muon Solenoid (CMS) experiment, as it hosts critical services required for the operational needs of the CMS experiment. Lately, CMSWEB has migrated from the VM cluster to Kubernetes (k8s) cluster to enhance sustainability, reduce operational costs, and shorten the release upgrade cycles. Similarly, almost all of these Kubernetes services either host or use sensitive data. The security of these services and the corresponding data is crucial to CMS. Any malicious attack can compromise the availability of our services. Therefore, it is important to construct a robust security infrastructure. In this report, I will discuss some new security features introduced to the CMSWEB k8s cluster. The new features include the implementation of network policies, deployment of Open Policy Agent (OPA), enforcement of OPA policies, and lastly, the integration of Vault. The network policies act as an inside-the-cluster firewall to limit the network communication between the pods to the minimum necessary, and its dynamic nature allows us to work with microservices. The OPA validates the objects against some custom-defined policies during create, update, and delete operations to further enhance security. Without recompiling or changing the configuration of the Kubernetes API server, it can apply customized policies on Kubernetes objects and their audit functionality enable us to detect pre-existing conflicts and issues. Although Kubernetes incorporates the concepts of secrets, they are only base64 encoded and are not dynamically configured; once the configuration of any secret is changed, the service restart is required for the configuration to be incorporated. This is where Vault comes into play! Vault dynamically secures, stores, and tightly controls access to sensitive data. So, the secret information is encrypted, secured, and centralized making it more scalable and easier to manage. Thus, the implementation of these three security features will corroborate the enhanced security and reliability of the CMSWEB Kubernetes infrastructure.
id cern-2826676
institution Organización Europea para la Investigación Nuclear
language eng
publishDate 2022
record_format invenio
spelling cern-28266762022-10-05T12:15:02Zhttp://cds.cern.ch/record/2826676engAli, AamirImplementation of New Security Features in CMSWEB Kubernetes Cluster at CERNComputing and ComputersThe CMSWEB cluster is pivotal to the activities of the Compact Muon Solenoid (CMS) experiment, as it hosts critical services required for the operational needs of the CMS experiment. Lately, CMSWEB has migrated from the VM cluster to Kubernetes (k8s) cluster to enhance sustainability, reduce operational costs, and shorten the release upgrade cycles. Similarly, almost all of these Kubernetes services either host or use sensitive data. The security of these services and the corresponding data is crucial to CMS. Any malicious attack can compromise the availability of our services. Therefore, it is important to construct a robust security infrastructure. In this report, I will discuss some new security features introduced to the CMSWEB k8s cluster. The new features include the implementation of network policies, deployment of Open Policy Agent (OPA), enforcement of OPA policies, and lastly, the integration of Vault. The network policies act as an inside-the-cluster firewall to limit the network communication between the pods to the minimum necessary, and its dynamic nature allows us to work with microservices. The OPA validates the objects against some custom-defined policies during create, update, and delete operations to further enhance security. Without recompiling or changing the configuration of the Kubernetes API server, it can apply customized policies on Kubernetes objects and their audit functionality enable us to detect pre-existing conflicts and issues. Although Kubernetes incorporates the concepts of secrets, they are only base64 encoded and are not dynamically configured; once the configuration of any secret is changed, the service restart is required for the configuration to be incorporated. This is where Vault comes into play! Vault dynamically secures, stores, and tightly controls access to sensitive data. So, the secret information is encrypted, secured, and centralized making it more scalable and easier to manage. Thus, the implementation of these three security features will corroborate the enhanced security and reliability of the CMSWEB Kubernetes infrastructure.CERN-STUDENTS-Note-2022-138oai:cds.cern.ch:28266762022-09-09
spellingShingle Computing and Computers
Ali, Aamir
Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN
title Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN
title_full Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN
title_fullStr Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN
title_full_unstemmed Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN
title_short Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN
title_sort implementation of new security features in cmsweb kubernetes cluster at cern
topic Computing and Computers
url http://cds.cern.ch/record/2826676
work_keys_str_mv AT aliaamir implementationofnewsecurityfeaturesincmswebkubernetesclusteratcern