This article was written by Amir Sharif, Co-Founder of Aporeto
VMware Cloud PKS is a Kubernetes-as-a-Service offering within the growing VMware Cloud Services SaaS portfolio. It is a fully managed, enterprise-grade Kubernetes-as-a-Service offering that is cost-effective, easy to use, and integrates with cloud-native solutions, such as Aporeto. VMware Cloud PKS is currently available on AWS and will soon be available on Azure, as well as additional cloud environments.
VMware Cloud PKS is differentiated on three core value propositions.
- VMware Smart Cluster™
- Global Policy Framework
The Smart Cluster eliminates the need for pre-provisioning nodes by automating the selection of compute resources, optimizing for deployed application usage, reducing customer cost, and improving capacity planning.
The Smart Cluster is a fully CNCF-compliant Kubernetes that implements best practices for security and high-availability in the public cloud.
VMware Cloud PKS has a simple tree structure to streamline the management of clusters. It does this by organizing resources into logical containers and applying consistent access policies on containers (nodes of the tree), inheriting those recursively through the tree and into the Kubernetes RBAC itself.
VMware Cloud PKS is multi-cloud ready and designed for Kubernetes application portability across public clouds, giving you the freedom to deploy on any or all supported cloud providers.
VMware Cloud PKS is in public beta, try it out by clicking here.
Aporeto’s security offering is built with similar value propositions. First, Aporeto operates on intent-based policies, or policies that describe the desired network security policy of your application at runtime.
Second, Aporeto offers a namespace hierarchy, where policy can be ascribed on any level in the hierarchy and propagated downward as immutable rules.
Finally, Aporeto decouples security from the infrastructure, giving users uniform and portable policies in a multi-cloud environment.
This blog focuses on providing centralized security and monitoring for VMware Cloud PKS clusters, both on AWS and in a multi-cloud infrastructure, in a manner that is easy to deploy and manage.
By following the four steps outlined below, you will learn how to easily enforce network and service layer access policies in your VMware Cloud PKS cluster with Aporeto. You may extend these policies in a multi-cloud environment to legacy workloads without any network configuration or code modification.
The Aporeto solution decouples network security from the underlying network infrastructure. It replaces network firewalls, ACLs, and similar networking constructs with an identity-centric security mechanism.
Every container or process is automatically associated with a multi-attribute identity that captures an application’s characteristics, environment, and security posture. Network security is enforced transparently to applications through end-to-end authentication, authorization, and encryption, and without requiring any development process modification.
The Aporeto identity-based approach enables enterprises to implement a uniform security policy decoupled from the underlying infrastructure.
How Aporeto works
- Ingest developer metadata and/or visualize applications
- Generate and simulate security policies
- Enforce security policies.
You can visualize the application of your choice by deploying Aporeto as a DaemonSet on VMware Cloud PKS.
Aporeto auto-generates L3 security policies by ingesting Kubernetes Network Policies. Taking a service-centric approach, Aporeto auto-discovers Kubernetes services and allows you to define additional L4-L7 policies. For instance, you can transparently insert end-to-end API authorization into your security workflow. You also have the option of leveraging your application dependency graph that Aporeto generates to describe your application’s behavioral intent as policies.
In every case, you may edit auto-generated policies and inject human wisdom as necessary. Once you have policies, you may simulate their enforcement at runtime to evaluate their effects without interrupting operations. When satisfied that your security policies are solid, you may lock down your application and protect it with a zero-trust approach.
A key benefit of this identity-centric approach is that you can enforce a consistent security approach even in a hybrid or multi-cloud setting. As you gain experience with Aporeto in a single cluster setting, you will quickly realize how easy it is to maintain a consistent security posture in multi-cluster and multi-cloud settings without any infrastructure or operational complexity.
4 Steps to Enforce Network and Service Layer Access Policies in VMware Cloud PKS Clusters
1: Prepare the VMware Cloud PKS environment
Create a VMware Cloud PKS folder and project according to the standard VMware Cloud PKS workflow then create a corresponding Smart Cluster. You can choose the production cluster type (HA or development if HA isn’t important).
2: Set up the Aporeto environment
Using a browser login, go to https://console.aporeto.com/.
You can map your VMware Cloud PKS hierarchy to an Aporeto namespace hierarchy by creating the corresponding Aporeto namespaces. For example, you can associate your VMware Cloud PKS folder with a namespace, then create child namespaces for each of your projects. You can use the Namespace Setting tab for these actions.
Once you have created the corresponding namespaces, navigate to the project namespace. Select and expand “System” and then select “Kubernetes Clusters.” Click on the “+” icon (top right). Give the cluster the same name as your corresponding VMware Cloud PKS cluster and leave all defaults as they are.
Click “create.” This action associates a Kubernetes cluster definition in the Aporeto system with your VMware Cloud PKS cluster. It automatically downloads a file with all the necessary Kubernetes definitions on your desktop as
3: Join the VMware Cloud PKS cluster to Aporeto
Extract the contents of the downloaded zip file and, after you have properly configured Kubectl, create the corresponding Kubernetes resources using the provided YAML definitions.
4: Roll up your sleeves and dig in with a demo app
Clone the GitHub repo https://github.com/aporeto-inc/apowine.git and then follow the instructions in the README.md file. By following this tutorial, you will learn how to enforce network and service layer access policies in your VMware Cloud PKS cluster.
Work with your VMware Cloud PKS cluster with Aporeto security
Now that you have connected your VMware Cloud PKS Kubernetes cluster to Aporeto, you can visualize it in real time and on a historical basis by using the Aporeto UI. To learn more, visit the VMware Solution Exchange, or VSX, and search for “Aporeto.”
Besides visualizing and securing your VMware Cloud PKS workload, you can also connect your private cloud workload to your Aporeto account and view your distributed application’s end-to-end operations centrally.
You can find instructions for connecting non-VMware Cloud PKS workloads to Aporeto by perusing the document set in https://console.aporeto.com/accounts/welcome (click on “Switch to Accounts” on the top right corner to the immediate right of the “?” mark icon). As always, you can request support directly in Aporeto’s console.
With VMware Cloud PKS, Aporeto’s powerful security capabilities unlock many use cases, including:
- Network segmentation and workload isolation for cloud-native and legacy workloads, reducing compliance scope
- Transparent encryption without code or network modification
- Uniform API access control policy across services in public or private cloud
- Continuous vulnerability analysis of container images
- Runtime threat detection and protection based on behavioral analysis
- Capability to expand in a multi-cloud service mesh by integrating Istio in the enforcement layer, giving you granular access control for Zero Trust security