Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN

Aamir Ali; Muhammad Imran; Valentin Kuznetsov; Spyridon Trigazis; Aroosha Pervaiz; Andreas Pfeiffer; Marco Mascheroni

doi:10.1051/epjconf/202429507026

All issues

Volume 295 (2024)

EPJ Web of Conf., 295 (2024) 07026

Abstract

Open Access

Issue		EPJ Web of Conf. Volume 295, 2024 26^th International Conference on Computing in High Energy and Nuclear Physics (CHEP 2023)


Article Number		07026
Number of page(s)		8
Section		Facilities and Virtualization
DOI		https://doi.org/10.1051/epjconf/202429507026
Published online		06 May 2024

EPJ Web of Conferences 295, 07026 (2024)
https://doi.org/10.1051/epjconf/202429507026

Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN

Aamir Ali¹^*, Muhammad Imran²^**, Valentin Kuznetsov³^***, Spyridon Trigazis¹^****, Aroosha Pervaiz²^†, Andreas Pfeiffer¹^‡ and Marco Mascheroni⁴^§ for CMS Collaboration

¹ CERN, Geneva, Switzerland.
² National Centre for Physics, Islamabad, Pakistan.
³ Cornell University, USA.
⁴ University of California San Diego, USA.

^* e-mail: aamir.ali@cern.ch
^** e-mail: muhammad.imran@ncp.edu.pk
^*** e-mail: vkuznet@protonmail.com
^**** e-mail: Spyridon.Trigazis@cern.ch
^† e-mail: aroosha.pervaiz@cern.ch
^‡ e-mail: andreas.pfeiffer@cern.ch
^§ e-mail: marco.mascheroni@cern.ch

Published online: 6 May 2024

Abstract

The CMSWEB cluster is pivotal to the activities of the Compact Muon Solenoid (CMS) experiment, as it hosts critical services required for the operational needs of the CMS experiment. The security of these services and the corresponding data is crucial to CMS. Any malicious attack can compromise the availability of our services. Therefore, it is important to construct a robust security infrastructure. In this work, we discuss new security features introduced to the CMSWEB Kubernetes (“k8s”) cluster. The new features include the implementation of network policies, deployment of Open Policy Agent (OPA), enforcement of OPA policies, and the integration of Vault. The network policies act as an inside-the-cluster firewall to limit the network communication between the pods to the minimum necessary, and its dynamic nature allows us to work with microservices. The OPA validates the objects against some custom-defined policies during create, update, and delete operations to further enhance security. Without recompiling or changing the configuration of the Kubernetes API server, it can apply customized policies on Kubernetes objects and their audit functionality enabling us to detect pre-existing conflicts and issues. Although Kubernetes incorporates the concepts of secrets, they are only base64 encoded and are not dynamically configured. This is where Vault comes into play: Vault dynamically secures, stores, and tightly controls access to sensitive data. This way, the secret information is encrypted, secured, and centralized, making it more scalable and easier to manage. Thus, the implementation of these three security features corroborate the enhanced security and reliability of the CMSWEB Kubernetes infrastructure.

This is an Open Access article distributed under the terms of the Creative Commons Attribution License 4.0, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.