Open in app

Sign in

Write

Sign in

vClusters 101 — Getting started securely

Imran Roshan
Google Cloud - Community
Published in
6 min readJun 21, 2024

A first hand experience with vCluster implementation and security.

Think about an environment where distinct, virtual Kubernetes clusters can be established inside a solitary physical cluster. vClusters’ magic is this! Every vCluster has its own control plane, resource quota, and API server, making it a fully functional Kubernetes environment. That too with some crazy features:

  • Enhanced Security: Because workloads in various vClusters are totally segregated, harmful behavior and illegal access are prevented.
  • Fine-grained Resource Management: To ensure equitable and effective resource use, you can assign distinct resource quotas to every vCluster.
  • Cost-Effectiveness: vClusters offer a more cost-effective alternative than setting up individual physical clusters for every tenant.
  • Enhanced Developer Experience: Workflows are streamlined when developers can quickly spin up pristine, isolated environments for testing, development, and deployment.
  • Simplified Multi-Tenancy: vClusters provide a strong base upon which to erect scalable, safe multi-tenant Kubernetes systems.

The architecture of the vCluster is broken down as follows:

  • Host Cluster: The physical Kubernetes cluster that serves as the system’s base.
  • vCluster Operator: This operator oversees the construction, deletion, and scaling of vClusters.
  • vCluster CRDs: Definitions of Custom Resources Describe the host cluster’s intended vCluster state.
  • vCluster API Server: To manage resources inside the vCluster, each vCluster has its own API server.
  • vCluster Control Plane: For every vCluster, the controller manager and scheduler in the control plane function separately.
  • vCluster Workloads: The services and apps set up inside a particular vCluster.

Setting Up

Let’s set ourselves with vCluster

Prerequisites:

  • A running Kubernetes cluster (v1.19 or later)
  • kubectl configured to access the cluster

Install the vCluster CLI with the following command

curl -fsSL https://raw.githubusercontent.com/loft/vcluster/master/install.sh | sh -s -- -b <bin_dir>

Replace <bin_dir> with the desired directory for the vcluster binary (e.g., /usr/local/bin)

Run the command vcluster apply install on the host cluster, this command generates the required deployments and Custom Resource Definitions (CRDs) for the vCluster operator.

Now we create the vCluster definition with the following YAML file initialising two worker nodes:

apiVersion: vcluster.loft.sh/v1alpha1
kind: VCluster
metadata:
  name: dev-vcluster
spec:
  workers: 2

Now deploy the vCluster with vcluster apply -f dev-cluster.yaml

It might be a little confusing on how to access and interact with such clusters but hey vcluster provides a kubeconfig generation utility to access the API server of the newly created vCluster.

vcluster kubeconfig dev-vcluster > dev-vcluster.kubeconfig

export KUBECONFIG=dev-vcluster.kubeconfig
kubectl get pods -n default

This command will now retrieve the pod information for workloads running within the “dev-vcluster”.

Securing

vCluster comes with a number of built-in security mechanisms, including:

  • Namespace Isolation: By operating inside a separate namespace, every vCluster restricts access to resources from other vClusters.
  • Role-Based Access Control (RBAC): Giving users and service accounts inside each vCluster roles and permissions allows for granular management.
  • Network Policies: To further improve isolation, network traffic between vClusters can be limited.

But the tale is not over yet. The following are some possible weaknesses to think about:

  • Shared Kernel: Each vCluster shares the same underlying infrastructure, or kernel. There is a chance that a shared kernel vulnerability might affect every vCluster.
  • Misconfigurations: Unintentional access or privilege escalation may result from incorrect vCluster configuration.
  • Supply Chain Attacks: It is possible to take advantage of flaws in container images that are used by vClusters.
  • Privilege Escalation: To obtain increased privileges within the underlying Kubernetes cluster, malicious actors may take advantage of weaknesses in the vCluster control plane. They might be able to use this to install unauthorized software, steal confidential information, or interfere with essential services.
  • Lateral Movement: An attacker’s reach and effect may be increased by moving laterally across linked Kubernetes clusters once inside a vCluster.

Building a Secure vCluster Workflow

Here’s how to use open-source tools to secure your vClusters step-by-step:

Security Before Deployment

Before distributing container images to vClusters, use Trivy or Clair to implement static code scanning to find vulnerabilities in the images.
To audit your vCluster configuration and find possible security misconfigurations, use tools like Kube-bench and Kubescape.

Security Deployment

To manage and keep sensitive data used in vClusters safely, utilize a secrets management platform like as Vault.
Enforce RBAC policies to provide service accounts and users inside each vCluster with least privilege access.

Security at Runtime

Use a runtime security tool, like as Falco, to identify unusual activity occurring in containers running in virtual clusters.
Keep an eye out for unusual resource usage trends and network activities on your vCluster by using Prometheus and Grafana.

Monitoring

Regularly use tools like Kube-bench and Kubescape to scan vClusters for vulnerabilities and benchmarking for the cluster.

Security Tools

Gatekeeper

At the entrance to your vCluster kingdom, Gatekeeper keeps watch and enforces admittance control regulations. Consider it akin to a security checkpoint were workloads are scrutinized prior to authorization. Policies can be defined to:

  • Limit the use of resources by setting quotas.
  • Implement security guidelines for pods.
  • Verify setups for recommended security procedures.

This is a sample of code that shows how a Gatekeeper policy limits CPU consumption for pods within a certain vCluster:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: cpu-quota
spec:
  crd:
    spec:
      group: constraints.gatekeeper.sh
      names:
        kind: CPUQuota
      versions:
      - name: v1beta1
  targets:
  - match:
      kinds:
      - Pod
  rules:
  - message: "Pod '{{ request.object.metadata.name }}' exceeds CPU quota"
    name: cpu-quota-rule
    severity: Medium
    constraints:
      - type: JSMediatype
        values:
          script: |
            let requestCPU = request.object.spec.containers[0].resources.requests.cpu || "0";
            let quota = 1; // Set your desired quota in CPU units
            return requestCPU <= quota;

Open Policy Agent (OPA)
OPA is your security orchestra’s grand conductor. It lets you create granular authorization rules that are applicable to any part of your Kubernetes infrastructure, including vClusters. Policies can be made to:

  • Using user roles, restrict access to vCluster resources.
  • Restrict pod rights and capabilities.
  • Apply network regulations to vClusters.

This is an illustration of an OPA policy that limits access to a particular vCluster’s secrets resource:

package my.vcluster.auth

allow if request.extras["vcluster.name"] != "restricted-vcluster" or 
  request.user.groups[_] == "cluster-admin"

deny if request.resource.kind == "Secret"

Kustless

You may use this tool to manage Kubernetes resources by assembling reusable parts, or “modules.” Kustless lowers the possibility of errors in your deployments and encourages consistency and maintainability. You can also use Kustless to enforce best practices and security regulations inside your vClusters.

You can create reusable modules with Kustless that contain the configurations and security policies you want. A Kustless module that implements a pod security policy (PSP) looks like this:

namespace: my-app

resources:
  - name: psp.yaml
    type: File
    content: 
      apiVersion: policy/v1beta1
      kind: PodSecurityPolicy
      metadata:
        name: restricted-pod-security-policy
      spec:
        # Define your desired security constraints here

This module defines a Pod Security Policy (PSP) file with specified security limitations called psp.yaml. You may make sure that every pod that is deployed inside the vCluster complies with these security requirements by including a reference to this module in your vCluster configuration.

To Conclude

Firstly, these were just the tip of the huge iceberg of toolsets that might be utilized for securing vClusters, go ahead and explore more that might suit your use cases. vClusters have a great deal of promise to empower developers and expedite the deployment of applications. Security, though, needs to come first.

Recall that maintaining security is a continuous effort. Remain alert, make sure your tools are up to date, and regularly assess your security posture. You can make sure that your vClusters in your containerized landscape continue to be strongholds of security by adhering to these guidelines.

Connect with me

https://linktr.ee/imranfosec

Technology
Kubernetes
Programming
Cybersecurity
Google Cloud Platform

--

--

Imran Roshan
Google Cloud - Community

Written by Imran Roshan

464 Followers
Writer for

Your security sherpa | Google Developer Expert (GCP) | Ethical Hacker | Cloud Security

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams