Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MOSIP-30259] Create blog-securing-access-to-MOSIP-k8-clister.md #307

Open
wants to merge 3 commits into
base: 1.2.0
Choose a base branch
from
Open

[MOSIP-30259] Create blog-securing-access-to-MOSIP-k8-clister.md #307

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
919e73b
Create blog-securing-access-to-MOSIP-k8-clister .md
ckm007 Dec 18, 2023
c60e894
Rename blog-securing-access-to-MOSIP-k8-clister .md to blog-securing-…
ckm007 Dec 18, 2023
42ea548
Update blog-securing-access-to-MOSIP-k8-clister.md
ckm007 Dec 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions docs/blog-securing-access-to-MOSIP-k8-clister.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Securing the access for MOSIP environment kubernetes clusters
## What is kubernetes cluster?
Kubernetes is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications. It allows you to abstract away the underlying infrastructure, providing a consistent and declarative way to manage containerized workloads.
## Kubernetes clusters in MOSIP
Overall in MOSIP there are two kubernetes clusters for an environment.
* Observation Cluster : One for a country/SI/Organisation wide cluster, this is where other kubernetes clusters are imported for adding/updating/viewing  the other kubernetes resources.  
* MOSIP cluster : Kubernetes cluster in which all the MOSIP and its dependent services are deployed. 
## Securing MOSIP's kubernetes clusters
* Securing Kubernetes clusters in the context of MOSIP involves a combination of VPN solutions, identity and access management, service mesh for traffic control, and additional security measures.
* This multi-layered approach is essential to meet the security requirements of a country-wide Identity system like MOSIP, ensuring:
* Protection against potential threats.
* Maintaining Funtionality.
* Ensuring Confidentiality.
* Preventing data breaches.
* Environments have 99% uptime.
## How do we secure MOSIP's kubernetes cluster ?
Below are the mentioned steps taken for securing the kubernetes clusters:
* Wireguard: Limiting access to the Kubernetes nodes to authorized administrators.
* WireGuard is a lightweight and secure VPN (Virtual Private Network) solution that can be used to establish encrypted communication channels between user and different nodes.
* In the context of securing Kubernetes nodes and limiting access to authorized administrators, you can use WireGuard to create a secure communication channel between administrators and the Kubernetes nodes.
* So nobody will be able to access the kunernetes nodes without having proper wireguard configuration provided by DevOps Admin.
* This approach centralizes access through the Bastion server, providing an additional layer of security and control over who can access the Kubernetes nodes.
* Here's a general outline of the steps to be taken:
* Setting up Wireguard [Bastion](https://docs.mosip.io/1.2.0/deploymentnew/v3-installation/on-prem-installation-guidelines#setup-wireguard-vm-and-wireguard-bastion-server) : Create a Wireguard Bastion server to secure access to all the nodes by configuring it for defined CIDR range in which all the k8 nodes are present.
* [Wireguad client](https://docs.mosip.io/1.2.0/deploymentnew/v3-installation/on-prem-installation-guidelines#setup-wireguard-client-in-your-pc) on Administrator's device.
* Sharing Unique and proper wireguard configuration files to each adminstrator.
* Rancher UI + Keycloak : Implement Role-Based Access Control (RBAC) to control access to resources within each Kubernetes cluster.
* Rancher UI acts as a management platform for Kubernetes clusters.
* Keycloak serves as an identity provider and handles authentication.
* Rancher UI can be deployed using mentioned [steps](https://docs.mosip.io/1.2.0/deploymentnew/v3-installation/on-prem-installation-guidelines#rancher-ui).
* Keycloak can be deployed using mentioned [steps](https://docs.mosip.io/1.2.0/deploymentnew/v3-installation/on-prem-installation-guidelines#keycloak).
* Rancher UI and Keycloak integration can be performed using following [steps](https://docs.mosip.io/1.2.0/deploymentnew/v3-installation/on-prem-installation-guidelines#keycloak-rancher-ui-integration).
* Created Roles based access control (RBAC) using mentioned [steps](https://docs.mosip.io/1.2.0/deploymentnew/v3-installation/on-prem-installation-guidelines#rbac-for-rancher-using-keycloak).
* This way you can create multiple groups and users in keycloak and provide them access via rancher UI.
* Istio: Secure access to administrative dashboards within the Kubernetes clusters.
* This involves leveraging Istio's capabilities for traffic management, access control, and security policies.
* Istio provides powerful features to control and secure the flow of traffic between services.
* Below are general steps to secure access to administrative dashboards within Kubernetes clusters using Istio
* In MOSIP we have two ingress controllers:
* Ingress Controller: Ingress controller is a component that manages external access to services within a cluster. It acts as a traffic manager, routing incoming requests to the appropriate services based on defined rules.
* Two ingress controllers in MOSIP:
* ingressgateway : It exposes the publically available required dashboards outside of wireguard. These dashboards can be accessed without using dashboards.
* ingressgateway-internal : It exposes the multiple administrative dashboards via wireguard. You need wireguard to connect to these dashboards.
* We also have multiple gateways linked to each UI dashboards in MOSIP.
* Gateways : Gateway is a resource that defines how external traffic should be routed to services within the cluster.
* Gateways are often associated with service meshes, where they play a key role in managing ingress and egress traffic
* The gateways of the required adminstrative dashboards always points to the `ingressgateway-internal`.
* After pointing to right `ingressgateway` make sure it is pointing to correct host.
* Each Services and UI has its own `virtualservices`.
* Virtualservice: VirtualService is a resource that defines a set of rules that determine how requests to a Kubernetes service should be routed within the Istio service mesh.
* The primary purpose of a VirtualService is to define routing rules for incoming traffic to a service.
* You can specify various conditions based on which traffic should be routed to different destination services or versions.
* From each `virtualservices` we link them correctly to their `gateway` and context paths so that they gets configured correctly to recieve traffice from relevant ingressgateway.
* This way we make sure that all the admintrative dashboard's access is restricted to wireguard via use of relevant `ingressgateway`, `gateways` and `virtualservices`.