Civo is a cloud provider that allows Kubernetes clusters to be spun-up in seconds. It provides a lower-cost solution compared to the major cloud providers that’s also easier to manage.

However, Civo clusters are initially deployed with external IP addresses and relaxed firewall policies making them open to anyone on the Internet.

Firewall rules can solve this to a certain degree but it is difficult to manage at scale and doesn’t allow for fine-grained access controls.

In Part 1 we’ll go through how to immediately lock down a Kubernetes cluster on Civo and then selectively grant access to Kubernetes namespaces and services. We’ll be using Twingate, a Zero Trust alternative to traditional VPNs. With Twingate we can make our Civo cluster completely invisible on the Internet, removing a significant surface area for potential attacks.

Pre-requisites

  1. Civo account, get started with $250 credit

  2. Twingate account, sign-up for free

  3. kubectl and helm3

  4. Civo CLI and Twingate CLI, tg.

Getting started

Ensure you have a fresh Civo cluster that you want to lockdown. It is recommended to have its own network and firewall so that other clusters are not inadvertently impacted. You can do this via the Civo web Dashboard or via the Civo CLI.

Once the cluster is online, confirm that you can access it by visiting the DNS name of your cluster.

Deploying Twingate and securing your cluster

Login to the Twingate Admin Console and obtain a Read, Write & Provision API Token from the Settings tab.

Next, download the Twingate CLI by following the instructions here. Once installed, execute the following command to deploy Twingate into your Civo cluster and lock it down:


./tg deploy civo k8s

This command will prompt you for your Twingate account name and API key. It will then prompt you to select your Civo region and Kubernetes cluster. Is a short cut for the following steps:

  1. Install a pair of Twingate connectors to you cluster via Helm Chart to deploy a Highly-Available Zero Trust tunnel.

  2. Create an initial set of Twingate groups and resources so you can individually grant access to the external endpoint, API server, Kubernetes namespaces, etc.

  3. Lock down your Civo firewall rules by disabling all inbound access to the cluster.

Once this is done go ahead and verify that it is no longer possible to connect to your Civo Kubernetes cluster. From this point on, all access to your cluster can uniquely be managed via Twingate.

asciicast

Securely connecting to your cluster

First, install the Twingate client on your local machine by visiting get.twingate.com and login to your Twingate account.

Once you are connected via Twingate you can confirm that you have access to your cluster with no changes needed to your kubectl configuration or other workflows.

Via the Twingate Admin Console or the Twingate API you can now grant access to resources based on best practices.

Uninstall steps

In case you want to revert these changes, you may run the following commands:


helm del $(helm ls --short -n twingate) -n twingate

This will remove the Twingate helm charts from your cluster. You can then add back any firewall rules via the Civo CLI or web dashboard.

Summary

Civo is already one of the easiest Kubernetes solutions available. In this guide we have demonstrated how easy it is to both completely lock down your cluster so that it is no longer publicly exposed and how simple it is to then grant access to it to the users that need access.