Rafay Paralus GA

July 20, 2022

Rafay Systems launched a new open-source software project named Paralus to enable secure, audited access for developers, operations, SREs and CI/CD tools to remote Kubernetes (K8s) clusters.

Paralus offers access management for developers, architects, and CI/CD tools to remote K8s clusters by consolidating zero-trust access principles such as transaction level authentication and authorization into a single open-source tool. It helps engineering and architecture teams streamline access control for their fleet of K8s clusters spanning different operating environments, different public clouds and K8s distributions, and on-premises data centers operating behind firewalls.

The inability to secure K8s infrastructure is a growing problem for organizations. In May 2022, a non-profit security organization named The Shadowserver Foundation scanned more than 450,000 systems hosting K8s and found more than 380,000 (84 percent) of these systems were accessible via the Internet, potentially providing an opening into a corporate network. In fact, the data shows that the majority of K8s API servers are found in the United States (nearly 53 percent). Per Shadowserver, "Enterprises using a K8s API server that is accessible should implement authorization for access or block it at the firewall to reduce the attack surface."

Paralus addresses this security issue by providing a frictionless way for developers and architects to leverage open-source software that uses zero-trust principles to secure access to all K8s environments and harden security practices for cloud-native applications.

Paralus grants authorized users seamless and secure access to all clusters with a native and familiar kubectl experience by acting as a proxy between the users and systems needing access and the K8s API server. It also addresses one of K8s' main pain points by eliminating the burden of managing K8s access controls cluster by cluster. Without Paralus, companies must manually manage access to each cluster using jump hosts or VPNs, and build custom tooling to audit and map all actions performed to a user's identity – all of which which is error-prone and increases the risk of breaches as the number of clusters grows.

Along with helping directly manage role-based access control (RBAC) policies and assignments, Paralus enables:

Creation of custom roles, users, and groups

Dynamic and immediate changing and revoking of permissions

Ability to control access via pre-configured roles across clusters, namespaces, projects, and more

Seamless integration with Identity Providers (IdPs) allowing the use of external authentication engines for users and group definitions, such as GitHub, Google, Azure AD, Okta, and others

Automatic logging of all user actions performed for audit and compliance purposes

Flexible workflows with a modern web GUI, a CLI tool called pctl, and a Paralus API

"While Kuberentes is the de facto standard for container orchestration, companies have significant challenges related to securing this new, mission critical infrastructure. Rafay is leveraging its industry leadership and unmatched expertise in the Kubernetes arena to contribute this highly valuable asset to the community," said Haseeb Budhani, CEO and co-founder of Rafay Systems. "Today, Paralus' capabilities are the most widely used in the company's Kubernetes Operations Platform offering, and has been battle tested by thousands of architects, developers, operations, and DevSecOps professionals at world-leading companies. We are excited to open source this technology, submit Paralus to the Cloud-Native Computing Foundation (CNCF), and assist the broader community in solving this critical access management issue that plagues Kubernetes deployments."