Confusion on kubernetes security and networking

hari26subramaniam · January 21, 2025, 5:25pm

As i am checking on some azure docs i found that making a cluster private will increase your security. then what is the purpose of having end to end encrypted cluster does production grade applications have end to end encrypted cluster and private cluster together?
If so what do each of them provide and is it necessary to do them for production grade applications and what about service mesh ? do we need all this complex security for our cluster

Srikanth_Reddy · January 22, 2025, 6:42am

I’m just thinking out loud…

What is a private cluster?
- When both the control plane and the worker nodes are accessible only within a private virtual network then that cluster can be called a private cluster.
What if there is another node/VM in the same private network?(other than the cluster nodes)
- This VM might be able to see the traffic in this private network and if there is no end to end encryption, your data might be exposed. This is just one example I could think of.
Now if you have end to end encryption(E2EE) enabled, even if the malicious VM is in the same private network, it might not be able to do much with the encrypted data.
Does the production grade applications have end to end encrypted cluster and private cluster together?
- I haven’t maintained any production grade cluster, but ideally from the security stand point it seems reasonable to have end to end encryption even though your cluster is in a private network.
- Private network minimises attack surface by preventing direct internet exposure.
- E2EE protects data integrity and confidentiality during transmission and storage.
What is the purpose of service mesh?
- Definition from google: A service mesh is a dedicated infrastructure layer that facilitates communication between services in a microservices architecture. It provides a standardized way to control, monitor, and secure service-to-service communication without requiring significant changes to the application code.
- Security is one of its purpose.
- It is useful for managing complex microservices but not strictly necessary for simpler systems.
Do we need all this complex security?
- It all depends on your use case.
- Will you be handling sensitive user data? Then yes, it’s better to be safe than sorry
- If it is just for testing then maybe not.

hari26subramaniam · January 22, 2025, 1:02pm

Hi srikanth,
Thanks for this nice explanation. Does the CKA exam has setting clusters with E2EE and setting up private cluster?
Thanks in advance.

Srikanth_Reddy · January 22, 2025, 1:35pm

I don’t think so, at least I haven’t got any questions related to E2EE. Also you wouldn’t have to setup a cluster from scratch. You will be working on existing clusters, by switching between them according to the question.(not sure if this will be the case as CKA exam might be updated soon in Feb)

@Alistair_KodeKloud /@rob_kodekloud can someone comment on this? Feel free to correct me, I don’t want to be sharing wrong info.