Ante Miličević
December 16, 2023

Kubernetes Security: Protections and Best Practices

Security is a top priority. Read on to learn about the best practices and protections for Kubernetes in the upcoming year.

Kubernetes, a freely available microservice orchestration engine, is renowned for its capacity to automate the deployment, administration, and, significantly, scaling of containerized applications.

Opting to execute an individual microservice in a distinct container is almost invariably more secure than running multiple processes in the same VM. Once a pod is initiated in Kubernetes, it resides in a node.

Nodes come in two forms: the worker node and the master node. The worker node executes the application code, hosts the pods, and relays resource information to the master node. The master node serves as the controller and manager for the worker nodes, collectively forming a cluster.

Nodes offer CPU, memory, storage, and networking resources for the Kubernetes master to allocate microservice PODs. Nodes house various components such as the Kubelet, the Kube-Proxy, and the container runtime, aiding Kubernetes in executing and overseeing application workloads.

Kubernetes Security Best Practices: 4C Model

In constructing a defense-in-depth strategy, it is essential to embed multiple security barriers across different domains; this aligns with the principles of cloud-native security. The security methodologies for Cloud Native Systems are stratified into four layers, known as "The 4C Security Model": Cloud, Cluster, Container, and Code. 

Addressing each layer ensures comprehensive security coverage from development to deployment. Kubernetes' best practices align with these four pillars of the cloud-native approach.

1. Cloud

The cloud layer pertains to the server infrastructure. Establishing a server on a preferred Cloud Service Provider involves various services (CSP). 

While CSPs primarily secure these services (e.g., operating systems, platform management, and network configuration) and improve cloud security, customers are responsible for monitoring and securing their data.

Restrict Kube API Server Access

Kubernetes API access control involves three steps: validation, authenticity scrutiny, and admission control. Network access control and TLS connections must be appropriately configured before initiating the authentication process.

Despite the complexity of authentication procedures, establishing secure RBAC policies adhering to the principle of least privilege is fundamental for Kubernetes API security.

Exclusive usage of TLS connections for API server, internal Control Plane communication, and Control Plane to Kubelet communication is recommended. In AWS, restraining access to the Kube API server by securing logs and events is crucial.

The Kubernetes API utilizes two HTTP ports, namely localhost and secure port. The localhost port circumvents authentication and authorization components, making it imperative to disable this port beyond the Kubernetes cluster's test configuration.

Due to potential security vulnerabilities, meticulous and prompt audits of service accounts are necessary, especially if tied to a specific namespace and specific Kubernetes management tasks. 

Employing specialized service accounts for each application is advisable, avoiding the use of default service accounts to minimize the attack surface. Disabling default service account tokens when creating new pods without a designated service account is essential to prevent unnecessary security risks.

Encryption and Firewall Measures

Kubernetes employs "Secrets" to store sensitive data like passwords, keys, and tokens. These Secrets minimize the attack surface, enhance cloud security and facilitate controlled access to sensitive data. Secrets are namespace-bound objects stored in tmpfs on nodes and password-protected.

Image of API to node connection

While Secrets in etcd are stored in plaintext, enabling encryption in the etcd configuration file is crucial. This ensures that even if an attacker gains access to etcd data, they cannot decipher it without the encryption key held by the API server.

Restricting access to etcd through TLS client certificates, and isolating etcd servers behind a firewall accessible only to API servers, further fortifies cluster security. Ensuring proper firewall configurations is essential for Kubernetes functionality.

For example, opening specific ports on the Primary configuration, such as 6443, 2379-2380, 10250, and 8472, is essential. Additionally, Worker Nodes must have ports 10250, 10255, and 8472 open.

Enforcing TLS Between Cluster Components

Establishing TLS connections between cluster components is pivotal for maintaining cluster security. API communication within a cluster is designed to be encrypted by default using TLS.

Certificate distribution across cluster components is accomplished during installation, and understanding each component is crucial for distinguishing trusted and untrusted communication.

Node Protection

Nodes, responsible for containerized app operations, demand a secure environment. In a test environment, a single server serving as both a master and a worker node may suffice. 

Most applications utilize at least three nodes: one for master components, one for worker nodes, and one for kubelet administration. Nodes can operate in virtual or physical environments based on organizational needs or regulatory compliance.

The Correct Configurations to Isolate the Cluster and API

Kubernetes clusters share data and resources among users, clients, and existing applications, necessitating data protection and mitigation of potential threats. Achieving soft multi-tenancy or hard multi-tenancy is feasible, each with its own security implications. 

Proper isolation measures encompass network policy, firewall rules, and namespace-specific limitations for pod deployment.

Image of project container relation

API servers, critical for Kubernetes scalability and flexibility, require strict access control to minimize the attack surface. Rule-based access control, key rotation, and IP subnet restrictions effectively limit risks associated with public network exposure.

In a Kubernetes cluster, kubelet serves as a background daemon on each node, managed by an INIT system or service manager. Uniform configuration across all Kubelets within a cluster is essential for correct functionality.

2. Cluster

Kubernetes, as a prominent container orchestration tool, warrants focused consideration for cluster security. Security recommendations here specifically address safeguarding the cluster itself.

Utilize Kubernetes Secrets for Application Credentials

Secrets, housing sensitive data like passwords or tokens, play a crucial role in authentication. While pods cannot directly access secrets, maintaining their confidentiality in a designated location is imperative.

 Secrets should be mounted as read-only volumes rather than passed as environment variables to enhance security.

Apply Least Privilege on Access

Image of principle of least privilege

Authorization is integral for most Kubernetes components, requiring entities to be logged in for resource access authorization. Role-Based Access Control (RBAC) leverages the rbac.authorization.k8s.io API group to authorize actions on specific resources. Enabling RBAC necessitates setting an authorization flag and restarting the API server.

Take a look at the following example: 

<pre class="codeWrap"><code>apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 namespace: default
 name: read-user
rules:
– apiGroups: [“”]
 resources: [“pods”]
 verbs: [“get”, “watch”, “list”]
</code></pre>

Admission Controllers and Network Policy

Admission controllers serve as plugins governing and enforcing cluster usage. These controllers enhance security by imposing a security baseline and can include PodSecurityPolicy to prevent root access or ensure a read-only root filesystem. Webhook controllers allow retrieving images exclusively from approved registries, enforcing security standards in deployments.

3. Container

Container runtime engines are indispensable for running containers in a cluster environment, with Docker being the predominant choice. Ensuring secure practices in container runtime environments is pivotal.

Use Verified Images with Proper Tags

Scanning and exclusively using approved images align with organizational policies, mitigating vulnerabilities. Private registries are recommended to reduce the risk of using insecure images.

Integrating image scanning in the CI/CD pipeline prevents vulnerabilities from reaching the registry. Immutable tags enhance traceability and version control, aiding in identifying deployed applications.

Limit Application Privileges

Image of application privileges

Avoiding privilege escalation, especially running containers as root, is crucial to prevent security risks. The root access in a container equates to root access on the host system, posing threats like filesystem access, exposure of username/password combinations, installation of malicious software, and access to cloud resources. Caution is necessary, particularly when deploying applications that may require root access.

4. Code

The code layer, synonymous with application security, represents the most controllable aspect of Kubernetes security. Scanning for vulnerabilities and implementing secure coding practices are vital.

Scan For Vulnerabilities

Given the reliance on open-source packages and libraries, scanning for vulnerabilities in dependencies is critical. Attackers often exploit known vulnerabilities, making regular scans essential to identify and mitigate risks.

 Incorporating vulnerability scanning in the CI/CD pipeline prevents issues from reaching the registry, enhancing overall code-level security.

Importance of Kubernetes Security

Kubernetes, being integral to modern infrastructure, demands meticulous security considerations. The dynamic and immutable nature of Kubernetes, coupled with open-source usage, necessitates continuous attention and resources to uphold security. 

Organizations relying on Kubernetes in production environments must prioritize security to prevent compromises that could impact operations.

Implementing Kubernetes Security Best Practices

Security updates and vigilance regarding security vulnerabilities in running containers are paramount. Gradual upgrades using Kubernetes' rolling update feature enable seamless application updates.

Configuring security contexts for each pod and container, and defining privileges and access controls, contributes to a robust security posture.

Resource management, involving CPU and memory allocation for pods, requires meticulous observation before determining resource needs. The shift-left approach, emphasizing early identification and resolution of flaws in the container lifecycle, facilitates efficient container management and accelerates development cycles.

Kubernetes Security Frameworks: An Overview

Various security frameworks, such as those by MITRE, CIS, and NIST, cater to Kubernetes security. Each framework has distinct strengths and weaknesses, enabling organizations to choose and apply relevant components.

 The CIS benchmark offers methods for hardening Kubernetes cluster security, while MITRE ATT&CK outlines scenarios for potential attacks and corresponding mitigation strategies. PCI-DSS compliance configurations can be implemented using frameworks like PCI-DSS for Kubernetes in fintech contexts.

Conclusion

Cloud-native containers in Kubernetes are integral to modern enterprise operations. Microservices, widely adopted, necessitate adherence to robust security practices. Kubernetes security encompasses multiple layers: cloud, cluster, container, and code. 

Vigilant adherence to security best practices, continual vulnerability scanning, and the implementation of established security frameworks are imperative for safeguarding Kubernetes environments.

Facing Challenges in Cloud, DevOps, or Security?
Let’s tackle them together!

get free consultation sessions

In case you prefer e-mail first:

Thank you! Your message has been received!
We will contact you shortly.
Oops! Something went wrong while submitting the form.
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information. If you wish to disable storing cookies, click here.