DevOps / Kubernetes / Security / Contributed

5 Best Practices for Kubernetes Security

16 Jun 2020 1:06pm, by

Robert Brennan
Robert Brennan is director of open source software at Fairwinds, the Kubernetes enablement company. He focuses on the development of software that abstracts away the complexity of underlying infrastructure to enable an optimal experience for engineers. Before Fairwinds, he worked as a senior software engineer for Google in AI and natural language processing. He is the co-founder of DataFire.io, an open source platform for building APIs and integrations, and LucyBot, developer of a suite of automated API documentation solutions deployed by Fortune 500 companies. He is a graduate of Columbia College and Columbia Engineering where he focused on machine learning.

Whether you’re just starting to scope out the promises of Kubernetes, or have already leapt into using the container orchestration system, you probably have questions. Like any transition to cloud native technologies, you wonder how to keep things reliable and efficient as you scale. But beyond this, there’s an even bigger fish to fry: security.

Particularly in security-centric industries, like healthcare and finance, Development Operations (DevOps) teams must strike the balance between usability, functionality, and security. Kubernetes can be the answer to this equation, if implemented properly. The catch is that native cloud containers are a new method of software deployment, so DevOps teams can’t just dip into their old bags of tricks. The frameworks and processes that worked with other technologies will either flat-out flop here, or will need to be majorly overhauled in order to give your applications the protection they need.

When you deploy Kubernetes, all the usual security threats are lurking. But, of them, the three you will most often encounter are Denial-of-Service (DoS) attacks, external threats gaining access to internal resources, or internal threats giving too much access to employees and thereby exposing vulnerabilities.

Security efforts should be focused around preventing security threats, particularly these three. While no code is 100% vulnerability-free, the following five best Kubernetes security practices should be followed to ensure your success with the technology, now and in the future.

1. Slow Down

Yes, you’re eager to get your application up and running — and then move on. But making the assumption that you’re done before you actually are, or moving through your deployment configuration too quickly, all but ensures security gaps. This is because Kubernetes security is absolutely possible, but — like a lot of Kubernetes — it’s complicated.

For instance, you may think your deployments are fine without resource requests and limits. But failing to put such pieces in place will certainly come back as problems later. Your configurations can mean the difference between protecting your assets or experiencing a DoS attack that came about because your deployment was misconfigured.

So, slow down. Take advantage of Kubernetes’ stellar built-in security tooling and robust ecosystem of open source and commercial solutions for hardening your clusters. It’s counterintuitive, but thinking through your security strategy thoughtfully won’t actually slow you down in the long run. Instead, it’ll help you ultimately move faster, because your strong security profile will prevent a host of time-consuming, damaging security problems.

2. Be Cautious with Access

Again, in an effort to deploy quickly, it’s tempting to hand out permissions too readily. But giving admin-level access to an application that doesn’t need extensive control over the cluster leaves you vulnerable. This is why Role-Based Access Control (RBAC) is so critical with Kubernetes.

Use RBAC to set access permissions for your clusters according to the principle of least privilege. For example, if an application only needs to view logs, limit its access accordingly so you don’t end up finding it mining bitcoin, viewing secrets, or deleting resources.

By default, all applications within a single Kubernetes cluster have access to everything else within it. Your job is to write a network policy that restricts communications between parts of the cluster that have no business talking to one another.

This will help reduce the splash damage if your account gets compromised, and save you a lot of headaches down the road. Many teams fail to handle RBAC configurations properly because they can be confusing, but there are tools available that make this much simpler.

3. Protect Your Policies

Network policy, which is similar in nature to RBAC, is crucial to Kubernetes’ security. But, rather than allowing access to resources, network policy sets up who can talk to those inside your cluster. By default, all applications within a single Kubernetes cluster have access to everything else within it. Your job is to write a network policy that restricts communications between parts of the cluster that have no business talking to one another. This way, even if an attacker worms its way into your network, it will be restricted to one workload and unable to spread throughout the cluster.

Network policy can also be used to manage cluster ingress and egress. Think of it like an air traffic controller who is highly selective about who may land at — and who may leave — his airport. Internal-only applications should only accept traffic from IP addresses inside your firewall, and partner IP-addresses should be whitelisted. Similarly, it’s a good idea to whitelist allowed domains for outgoing traffic.

After all, hackers may try to get inside your cluster and then push data to an external URL, which, of course, is bad news. But, a strong network policy with strict ingress and egress rules will limit the likelihood of this. Furthermore, configuring an ingress policy that limits how much traffic a user can consume before being shut off can help prevent Distributed Denial-of-Service (DDoS) attacks.

4. Get Configuration Validation

DevOps teams are regularly understaffed, and lacking the resources to manually inspect each change that is introduced. Because of this, it’s simply not reasonable to expect them to catch every vulnerability — and yet it’s detrimental for them not to. This is where using the right tools to monitor and validate your configurations comes in.

There are platforms that provide those deploying and managing Kubernetes with access to better visibility, prioritized recommendations, and collaboration tools. As with many other aspects of business, software can often fill in the gaps we’re not able to ourselves. Kubernetes is no exception, and getting the right form of validation in place can ensure your configurations are set up for security success.

5. Stay Up to Date

When was the last time you updated your Kubernetes version? Updates are sometimes seen as a hassle, so well-meaning folks who are focused on other pieces of deployment might kick that can down the road. This might not spell disaster immediately, but if they keep kicking it further, holes in security are likely to arise.

Each new update promises important security fixes and enhanced functionality. Especially if you’re using add-ons to amplify Kubernetes’ benefits, your attack surface is increased – and so is your risk. But when you stay up to date on bug fixes and new releases, and test the updates as you go, you make sure your security and functionality are at their peak.

Remember: the fastest way to set up a cluster is the most insecure way. Fortunately, Kubernetes has robust built-in security features and can provide your organization with a single platform for all cloud computing. Its benefits are myriad, but can only be realized if security is first prioritized. By following the best practices outlined here, your Kubernetes implementation is sure to be more secure and easier to maintain than other systems. All it requires is intentionality and a willingness to set everything up the right way, the first time.

Photo by Magda Ehlers from Pexels.

At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.

 

A newsletter digest of the week’s most important stories & analyses.