k8spacket — are your TLS connections inside the cluster still secure?

Don’t you know the k8spacket tool yet? Check this article.

How long ago did you check if TLS communications in the cluster were secure? You have TLS, so you are secured — is this information good enough for you? Do you know when and where your services or third-party libraries establish TLS communication inside and outside the cluster?

Description

k8spacket has a new feature that helps you understand and monitor the phase of establishing secure connections. New metrics show which workloads establish TLS connections and what kind of version and cipher suites they use. There isn’t a better option to understand the TLS versions and why the cipher suite is so significant for encryption than visit and read how HTTPS works comics. To go deeply about cipher suites, see this article.

In short words:

• A TLS version tells about the freshness of secure protocol. It’s better secured and less vulnerable in the recent version.
• A cipher suite contains ciphers used to establish a secure connection and encrypt transmitted data.

In the Kubernetes cluster, there is a lot of secure connection established, not always designed by you, f.e.

• monitoring stack to external webhook, like slack or opsgenie
• third-party libraries to external partners, like getting secrets from Key Management Service
• any statistics sent through tools installed in the cluster like Grafana(see here)
• incoming traffic from the Internet

k8spacket can pick TLS connections inside the K8S cluster, decode TLS parameters, and show them in the Grafana. There are two dashboards available about it currently:

• with Prometheus time-series metrics — get information about called the domain and use TLS version and cipher suite

• with a table-oriented panel to show more details about the server certificate chain and client-supported TLS versions

• IP, name, and namespace of TLS client workload
• destination name, IP, domain, and port of the TLS server
• supported TLS versions and cipher suites by the client
• chosen TLS version and cipher suite by the server

Installation

To install k8spacket, you need to have Helm and Grafana installed. Additionally, the tls-parser extension requires a JSON API plugin.

See all installation steps here.

Additional note

Since version 1.0.0 of k8spacket, the architecture has changed to pluggable. Now, you can write custom extensions with respect an interface of plugin-api and apply them through the helm configuration values file

Summary

If you want to check TLS connection parameters used by the clients in the Kubernetes cluster written by you or uses by a third-party library, try the k8spacket tls-parser plugin.

Find the source code at github.com/k8spacket