ACK security enhancement-Alibaba Cloud Developer Community

BYOK

https://github.com/AliyunContainerService/ack-kms-plugin

This is KMS provider plugin for Alibaba Cloud - Enable encryption at rest of Kubernetes secret backed by Alibaba Cloud Key Management Service

Here let us verify the secret encryption on ACK cluster.

Firstly create one ACK cluster on Alibaba Cloud Container Service console, refine the apiserver configuration and install the ack-kms-plugin successfully:

then create a test secret and use etcdctl to fetch and check if the secret data is encrypted as below:

also the secret data should be decode when an authorized user using kubectl to get the secret value:

 

AD/LDAP

Alibaba Cloud RAM user can upload the metadata file provided by external IdP and enable SAML-based Single Sign-On. It supports SAML 2.0 standard and enables you to log on to Alibaba Cloud from the local account system of your enterprise. Here we give Microsoft AD as an example:

then enable sso status and upload the target metadata xml file:

config the AD FS to trust RAM as SAML SP

add claim rules:

then user can login from Alibaba Cloud RAM page and the browser would auto skip to the target AD login page:

after AD auth the user success, it would redirect back to Alibaba Cloud console:

Besides, Alibaba Cloud Container Service support to deploy KeyCloak with helm charts, which comes with a built-in LDAP/AD provider in user application side.

 

NeuVector

NeuVector, the leader in Kubernetes security delivering the first and only multi-vector container firewall, had annouced the partnership with Alibaba Cloud to strengthen Kubernetes security for enterprise customers. see https://neuvector.com/cloud-security/neuvector-alibaba-cloud/

neuVector's platform includes these key features:

the detail please refer to https://yq.aliyun.com/articles/62411

 

Vault

Vault is a famous open-source product for manage secret and protect sensitive secret, and Alibaba Cloud has also integrated into its dynamic infrastructure.

Vault treats AliCloud as a Trusted Third Party and uses a special Alibaba Cloud request signed with private credentials for its auth system: https://www.vaultproject.io/docs/auth/alicloud.html

also it support dynamic generate, store and encrypt Alibaba Cloud access tokens based on RAM policies as https://www.vaultproject.io/docs/secrets/alicloud/index.html

Besides, Alibaba Cloud Container Service support to deploy Vault in app-catalog, which help customers friendly deploy it based on official helm charts.

Selected, One-Stop Store for Enterprise Applications
Support various scenarios to meet companies' needs at different stages of development

Start Building Today with a Free Trial to 50+ Products

Learn and experience the power of Alibaba Cloud.

Sign Up Now