BYOK

https://github.com/AliyunContainerService/ack-kms-plugin

This is KMS provider plugin for Alibaba Cloud - Enable encryption at rest of Kubernetes secret backed by Alibaba Cloud Key Management Service

Here let us verify the secret encryption on ACK cluster.

Firstly create one ACK cluster on Alibaba Cloud Container Service console, refine the apiserver configuration and install the ack-kms-plugin successfully:

then create a test secret and use etcdctl to fetch and check if the secret data is encrypted as below:

also the secret data should be decode when an authorized user using kubectl to get the secret value as:

AD/LDAP

Alibaba Cloud RAM user can upload the metadata file provided by external IdP and enable SAML-based Single Sign-On. It supports SAML 2.0 standard and enables you to log on to Alibaba Cloud from the local account system of your enterprise. Here we give Microsoft AD as an example:

then enable sso status and upload the target metadata xml file:

config the AD FS to trust RAM as SAML SP

add claim rules:

then user can login from Alibaba Cloud RAM page and the browser would auto skip to the target AD login page as:

after AD auth the user success, it would redirect back to Alibaba Cloud console as:

 
Besides, Alibaba Cloud Container Service support to deploy KeyCloak with helm charts, which comes with a built-in LDAP/AD provider in user application side.

NeuVector

NeuVector, the leader in Kubernetes security delivering the first and only multi-vector container firewall, had annouced the partnership with Alibaba Cloud to strengthen Kubernetes security for enterprise customers. see https://neuvector.com/cloud-security/neuvector-alibaba-cloud/

NeuVector’s platform includes these key features:

• Support throughout the entire DevOps container deployment lifecycle, from build to ship to run.
• Security automation, starting with a Jenkins plug-in for vulnerability scanning during the build process.
• Container registries such as the Alibaba Cloud Container Registry can be configured so that any new images in a repository will be automatically scanned by NeuVector.
• Kubernetes and Docker CIS benchmarks will test host and container configurations before and after production deployments.
• Run-time security is delivered by the unique, cloud-native Layer-7 container firewall that combines deep packet inspection (DPI) of east-west traffic with container inspection and host security to detect and prevent attacks at multiple points in the kill chain.

the detail please refer to https://yq.aliyun.com/articles/62411

Vault

Vault is a famous open-source product for manage secret and protect sensitive secret, and Alibaba Cloud has also integrated into its dynamic infrastructure.

Vault treats AliCloud as a Trusted Third Party and uses a special Alibaba Cloud request signed with private credentials for its auth system: https://www.vaultproject.io/docs/auth/alicloud.html

also it support dynamic generate, store and encrypt Alibaba Cloud access tokens based on RAM policies as https://www.vaultproject.io/docs/secrets/alicloud/index.html

Besides, Alibaba Cloud Container Service support to deploy Vault in app-catalog, which help customers friendly deploy it based on official helm charts.