Achieving Customer Data Separation in Kubernetes

Kubernetes Access Discovery – Apono K8s Access Automation

Customer Data Separation and JIT permissions in Kubernetes

Kubernetes – Case Study

A leading software development company headquartered in Boston and Tel Aviv with Fortune 1000 customers in 40+ countries delivers multiple products and has recently expanded its operations, buying additional software providers in its field and adding multiple SaaS offerings to the platform.

About the Company:

Head Count: 500+

Engineers: 210

Company Stack:

  • AKS – Azure K8s
  • Teams
  • AWS SSO with Azure AD

“In less than 2 weeks half of the company was already using Apono to gain the namespace permissions they needed dynamically.”


The Challenge:

With the move to becoming a SaaS operation, the company was required to support its customers on an ongoing basis and at the same time adhere to security requirements, such as: customer data separation, approval workflows and audits over customer data access. The company’s customer environment (“production”) contained a combination of databases such as AWS, RDS, PostgreSQL and Azure Kubernetes production clusters with multiple tenants in separate namespaces in each cluster.

In order to meet customer security and regulatory obligations, the company was manually provisioning the permissions developers or customer support needed in Kubernetes on a per task basis.

They were looking for a way to automate:

  1. Manual provisioning of permissions to only a specific customer (namespace in the customer Kubernetes cluster) in order to satisfy security requirements.
  2. Developer permissions to the production environment only on a per task basis and only to the necessary resources relevant to the task at hand.
  3. SRE team members’ permissions to AWS RDS databases and other production resources only when an incident occurs.

The Apono Solution:

Apono was able to satisfy all three needs across their Databases and Kuberenetes clusters with a single, easy to implement platform.

With Apono’s Permission Management Automation Platform, the company was able to easily automate permission management.

  • Separating customer tenants according to security requirements.
    Utilizing Apono’s dynamic AccessFlows capability to automate permissions that allows users to receive a JIT Kubernetes permissions to only a specific customer (namespace) with full audit of those permissions and timeline.

  • Self-serve developer task-based permissions
    Developers request the permissions they need to a database level of the RDS on a per task basis. They can request and the request can be approved directly from within Teams in order to make the process as frictionless as possible.
  • Incident response permissions to SRE teams
    Utilizing Apono’s contextual AccessFlows, when an SRE team member is OnCall they can automatically receive the permissions they need.

Customer restricted access – Apono Access Automation