Kubernetes application authentication

Question

Maybe this is a dumb question, but I really don't know if I have to secure applications with tokens etc. within a kubernetes cluster.

So for example I make a grpc-call from a client within the cluster to a server within the cluster. I thought this should be secure without authenticating the client with a token or something like that, because (if I understood it right) kubernetes pods and services work within a VPN which won't be exposed as long as it's not told to.

But is this really secure, should I somehow build an authorization system within my cluster?

Also how can I use a service to load balance the grpc-calls over the server pods without exposing the server outside the cluster?

Answer 1

If you have a service, it already has built-in load balancer when you have more than one replica out of the box.

Also Kubernetes traffic is internal within the cluster out of the box, unless you explicitly expose traffic using LoadBalancer, Ingress or NodePort.

Does it mean traffic is safe? No. By default, everything is allowed within Kubernetes cluster so every service can reach every service or pod in StatefulSet apps.

You can use NetworkPolicy to allow traffic from one service to another service and nothing else. That would increase security.

Does it mean traffic is safe now? It depends. Authentication would add an additional security layer in case container is hacked. There could be more scenarios, but I can't think of for now.

So internal authentication is usually used to improve security in production systems.

I hope it answers the question.