In a previous article, we learned about the threats to a Kubernetes deployment that may result in a multitude of compromises and undesirable scenarios. With these threat models in mind, we can now explore Kubernetes security along four major tenets:
- authentication and authorization
- resource isolation
- hardening and network security
- logging and auditing.
We look at security from the perspective of containers, Kubernetes deployment itself and network security. Such a holistic approach is needed to ensure that containers are deployed securely and that the attack surface is minimized. The best practices that arise from each of the above tenets apply to any Kubernetes deployment, whether you’re self-hosting a cluster or employing a managed service.
We should note that there are related security controls outside of Kubernetes, such as the Secure Software Development Life Cycle (S-SDLC) or security monitoring, that can help reduce the likelihood of attacks and increase the defense posture. We strongly urge you to consider security across the entire application lifecycle rather than take a narrow focus on the deployment of containers with Kubernetes. However, for the sake of brevity, in this series, we will only cover security controls within the immediate Kubernetes environment.
Authentication and Authorization
The Kubernetes APIs are the central interfaces for administrators, users and applications to operate and communicate in the Kubernetes environment. Both users and service accounts can access Kubernetes APIs to initiate operations. As such, controlling API access is the main task of authentication and authorization within Kubernetes.
The Kubernetes platform has built-in authentication and authorization controls, as well as admission controls, which intercept and regulate requests to the Kubernetes APIs after authentication and authorization. Admission controls include built-in constructs as well as webhook-enabled methods that can be used to invoke external logic.
Authentication and authorization are at the core of Kubernetes security. Securing access to the Kubernetes API server is, therefore, one of the first priorities of a secure Kubernetes environment. Later in this chapter, we will explore in-depth authentication and authorization options and policies.
Isolation of resources is another major security lever within Kubernetes. Isolation not only prevents denial-of-service attacks but also provides privacy and data protection. The Kubernetes platform provides isolation mechanisms for a number of resource types, including pods and namespaces. The resource limits you can place on pods and namespaces include central processing unit (CPU) cycles, memory requests and persistent storage space.
Hardening and Network Security
Environment hardening, including hardening of containers and the underlying Kubernetes infrastructure, is essential to the security of a Kubernetes environment. It helps defend against threats brought by compromised containers, misuse and misconfigurations.
Hardening operations include restrictions on running privileged containers, limiting privilege escalations and whether a container can access the host networking interface and file system.
Network security handles segmentation, secures API access with Transport Layer Security (TLS) client authentication and manages service network Access Control Lists (ACLs).
Logging and Auditing
In addition to the native application and system logging, it may be beneficial to have Kubernetes-specific logs to understand Kubernetes operations, such as who accessed which Kubernetes API.
Kubernetes 1.9 provides a beta feature — Audit Logging — to perform separate logging and auditing functions. Audit Logging records actions taken by the API. The records can then be archived for later analysis. An administrator can specify which events should be logged by specifying an audit-policy YAML file.
Next time we’ll discuss the relevant security issues with the container infrastructure itself, including running containers in a secure fashion, with each Linux node properly configured and hardened, actively managing the images used in your system to discover and remove known vulnerabilities, and managing which registries can be used by your organization.
Feature image via Pixabay.