Last modified May 9, 2019

Secure access to clusters for users and Giant Swarm support

In order to provide the best service possible, Giant Swarm staff also have access to your clusters.

Therefore, we would like to explain this access, and what security measures are in place.

Intro

Access to Giant Swarm clusters can be split into two parts.

  1. Admin Access - designated for Giant Swarm staff for management/development/support purposes.

  2. User Access - designated for Giant Swarm customers to interact with offered services.

If you would like to know more about the different parts of the Giant Swarm infrastructure, please see our operational layers article

Admin access

Admin access is guarded by a Virtual Private Network (VPN) that is managed via certificates (public/private keys).

Certificates management is handled by a combination of Vault and the Giant Swarm Organization on Github. The general principle is that a certificate is configured for each individual Giant Swarm staff member.

VPN secured access points:

  • SSH - SSH access is based on GitHub SSO. Only users in the GitHub Giant Swarm Organization are allowed to authenticate. The following diagram describes our SSH authentication in more detail:

SSH access to Control Plane allows Giant Swarm also to manage and connect to underlying Tenant Clusters of the Customer.

  • Control Plane Kubernetes API - Usage of Kuberentes API on Control Plane also follows the authentication principles of the SSH connection.

General VPN connection schema

Following schema illustrates how the VPN connection looks in practice.

Cluster can be accessed by connecting to a Giant Swarm VPN server which establishes a secure connection with the jump host of the cluster.

We use two different VPN providers to provide highly resilient and available support to our customers.

Cloud provider access

Currently, Giant Swarm operators - which are responsible for managing clusters lifecycle - are granted admin rights by the customer to the given cloud provider.

The operator secret used for authentication with the cloud provider is stored in Kubernetes’ etcd. Access to etcd or Kubernetes API are secured based on certificates signed by Vault, to which only personnel in the GitHub Giant Swarm organization have access to.

User access

User access is limited to the offered APIs for interaction with your clusters.

Giant Swarm API

User access is provided to you over the Giant Swarm API. Network access to the API endpoint is usually whitelisted to a certain range of IP addresses. It can also be configured to work over a VPN following the general VPN connection schema shown above under admin access, where the connection to API residing in the cluster can be established only via your configured VPN.

Kubernetes API

The Kubernetes API of the clusters are exposed to the customers. You have full control over the users that are created via the Giant Swarm API. Additionally, you can also manage users by connecting an external Identity Provider to the Kubernetes API.

Further reading