Gravitational added management support via Kubernetes to its Teleport credential management product, which now places the popular container orchestration platform next to the already supported secure socket shell (SSH). Control of both is through a single pane of glass for organizations dealing with multiple infrastructure environments.
Gravitational CEO Ev Kontsevoy explained that the Teleport 3.0 update includes three main benefits tied to the Kubernetes integration. The first is a single control plane for role-based access control (RBAC) over SSH and, now, Kubernetes. This provides the single point of credential distribution and cuts down on redundant activity.
“IT teams no longer have to manage different universes,” Kontsevoy said. “This provides a single authentication point for SSH and Kubernetes, removing the need to do this twice.”
The second is the ability to manage multiple Kubernetes clusters behind firewalls or closed ports without having to set up a VPN. And the third is the ability to generate audit logs for both SSH and Kubernetes. The auditing also allows sessions to be recorded and played back as a video.
Kontsevoy said he has witnessed a trend where IT departments want to have all of their environments protected but want that control plane on premises. “This is what we are designed to do,” he said. “To be installed somewhere close to the identity manager.”
The Kubernetes integration also hit an ongoing support shortage that customers were demanding. “Not having Kubernetes support was driving people nuts,” Kontsevoy said.
The Kubernetes community itself continues to update credential access within the platform. The latest Kubernetes 1.12 release included general availability of the Kubelet TLS Bootstrap that allows the kubelet, which is the primary “node agent” that runs on each node, to generate a private key and a certification signing request (CSR) for submission to a cluster-level certificate signing process.
Despite the updates, Kontsevoy noted that, “Kubernetes has a pretty robust security mechanism, but companies are struggling with how to manage access. They just want this to be simple and not have to learn something completely new.”
Adding Kubernetes into the mix did not require a lot of modifications to the Teleport platform. Kontsevoy explained that Kubernetes has strong APIs that allow for middleware like Teleport to easily connect into a data stream. “But it’s still new and has some blanks that need to be filled,” he added. “Like for SSH.”
Infrastructure access has traditionally been handled through the SSH protocol. This has allowed for secure system administration and file transfers over non-secured networks.
However, Qualys a couple of years ago found a pair of long-standing security holes in the open source version of SSH (OpenSSH). Those vulnerabilities let an attacker peek into the memory of a client that’s connecting to a secure server. Among the items that could be sniffed out this way are user keys.
But, the rise of Kubernetes as a way to automate deployment, scaling, and management of containerized applications has provided a new avenue for infrastructure management. A prime example is the recent push to use Kubernetes as the infrastructure layer for the Open Networking Automation Platform (ONAP).
“Those management and orchestration capabilities open up a lot opportunities for the ecosystem,” Kontsevoy said.
Gravitational was formed in 2015, with most of its founders coming from Rackspace. The company has attracted $4.2 million in funding through a pair of seed rounds. Backers include YCombinator, CrunchFund, Spectrum 28, and SV Angel.
Teleport remains cloud agnostic but is integrated into the Amazon Web Services (AWS) Marketplace. The platform competes against legacy systems from companies like Centrify and CyberArk, the latter of which was recently added as an application into Google’s Cloud Platform (GCP) Marketplace.