The 4 Major Tenets of Kubernetes Security

15 Feb 2018 11:36am, by

Dr. Chenxi Wang
Dr. Chenxi Wang is the founder of the Jane Bond Project, a cybersecurity strategy consulting firm. A well-known strategist, speaker, and writer in the cybersecurity industry. Dr. Wang also serves as Vice Chair on the Board of Directors for the OWASP foundation, investment advisor to ClearSky security and 630 Cyber, as well as strategy advisor to various security startups and IT Security Planet. Previously, Chenxi was Chief Strategy Officer at Twistlock, responsible for building Twistlock’s brand and business from zero to the leader in the segment.

In a previous article, we learned about the threats to a Kubernetes deployment that may result in a multitude of compromises and undesirable scenarios. With these threat models in mind, we can now explore Kubernetes security along four major tenets:

  • authentication and authorization
  • resource isolation
  • hardening and network security
  • logging and auditing.

We look at security from the perspective of containers, Kubernetes deployment itself and network security. Such a holistic approach is needed to ensure that containers are deployed securely and that the attack surface is minimized. The best practices that arise from each of the above tenets apply to any Kubernetes deployment, whether you’re self-hosting a cluster or employing a managed service.

We should note that there are related security controls outside of Kubernetes, such as the Secure Software Development Life Cycle (S-SDLC) or security monitoring, that can help reduce the likelihood of attacks and increase the defense posture. We strongly urge you to consider security across the entire application lifecycle rather than take a narrow focus on the deployment of containers with Kubernetes. However, for the sake of brevity, in this series, we will only cover security controls within the immediate Kubernetes environment.

Authentication and Authorization

The Kubernetes APIs are the central interfaces for administrators, users and applications to operate and communicate in the Kubernetes environment. Both users and service accounts can access Kubernetes APIs to initiate operations. As such, controlling API access is the main task of authentication and authorization within Kubernetes.

The Kubernetes platform has built-in authentication and authorization controls, as well as admission controls, which intercept and regulate requests to the Kubernetes APIs after authentication and authorization. Admission controls include built-in constructs as well as webhook-enabled methods that can be used to invoke external logic.

Authentication and authorization are at the core of Kubernetes security. Securing access to the Kubernetes API server is, therefore, one of the first priorities of a secure Kubernetes environment. Later in this chapter, we will explore in-depth authentication and authorization options and policies.

Resource Isolation

Isolation of resources is another major security lever within Kubernetes. Isolation not only prevents denial-of-service attacks but also provides privacy and data protection. The Kubernetes platform provides isolation mechanisms for a number of resource types, including pods and namespaces. The resource limits you can place on pods and namespaces include central processing unit (CPU) cycles, memory requests and persistent storage space.

Hardening and Network Security

Environment hardening, including hardening of containers and the underlying Kubernetes infrastructure, is essential to the security of a Kubernetes environment. It helps defend against threats brought by compromised containers, misuse and misconfigurations.

Hardening operations include restrictions on running privileged containers, limiting privilege escalations and whether a container can access the host networking interface and file system.

Network security handles segmentation, secures API access with Transport Layer Security (TLS) client authentication and manages service network Access Control Lists (ACLs).

Logging and Auditing

In addition to the native application and system logging, it may be beneficial to have Kubernetes-specific logs to understand Kubernetes operations, such as who accessed which Kubernetes API.

Kubernetes 1.9 provides a beta feature — Audit Logging — to perform separate logging and auditing functions. Audit Logging records actions taken by the API. The records can then be archived for later analysis. An administrator can specify which events should be logged by specifying an audit-policy YAML file.

Next time we’ll discuss the relevant security issues with the container infrastructure itself, including running containers in a secure fashion, with each Linux node properly configured and hardened, actively managing the images used in your system to discover and remove known vulnerabilities, and managing which registries can be used by your organization.

Feature image via Pixabay.

This post is part of a larger story we're telling about the Kubernetes ecosystem.

Get the Full Story in the Ebook

Get the Full Story in the Ebook

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.