Top Kubernetes Security Best Practices You Should Know

Image for post
Image for post

This is a guest article by technical writer Limor Maayan-Wainstein

Kubernetes is a popular open source container orchestration platform used by many organizations worldwide. Kubernetes is feature-rich, providing the controls needed for managing the deployment of enterprise-grade applications. However, Kubernetes is also decidedly complex and difficult to learn and operate. These Kubernetes complexities can lead to misconfigurations and create vulnerabilities in your entire ecosystem.

Kubernetes Security Concerns in the Field

According to recent research, 94 percent of those surveyed had experienced a container security incident in the last year. Due to these incidents, 44 percent delayed moving workloads to production, affecting productivity and revenue.

Kubernetes complexity

Although containers benefit from isolation, which can increase security, Kubernetes networking presents complexity that is difficult to secure. Exposing hundreds or thousands of services both internally and externally leaves many entry points for attackers and can reduce visibility. Deploying and interconnecting the various moving pieces of a deployment leaves a lot of room for human error and oversight.

Kubernetes misconfiguration

Misconfigurations can leave both data and systems vulnerable, allowing abuse of permissions, resources, and theft of data. According to the same survey cited above, 61 percent surveyed reported misconfigurations as their greatest concern. This was compared to 27 percent who were worried about vulnerabilities and 12 percent who worried about attacks.

Kubernetes skills

Another issue is preparedness, or the lack of, that teams have. Attempting to operate Kubernetes in production with a traditional team rather than a DevOps one, or transitioning to DevOps to use Kubernetes are ill-advised. Additionally, while it’s possible to learn Kubernetes from scratch, immediately deploying to production without thorough testing and verification of new skills is rash.

Kubernetes Security: Key Considerations

Hardening and compliance

For example, ensuring that you have pod security policies defined can help you secure your multi-tenant clusters. However, depending on your version, this feature may be in beta (requiring activation) or may not be available. Understanding which built-in features are available to you helps you understand where you need to supplement your security.

When reviewing your configurations, use available security benchmarks, such as those created by the Center for Internet Security ( CIS). These benchmarks provide a guide to help you harden your systems and identify vulnerabilities. Benchmarks can also help ensure you meet compliance with your deployment, providing proof of audits and measures taken.

Balancing security and agility

Another consideration is how well integrated security is with your daily operations. Be careful you don’t let security unnecessarily impede workflows.

One solution for this is the integration of security into your DevOps team, moving to DevSecOps. Integrating your teams enables you to start from a secure base rather than tacking on security. This enables teams to develop workflows that flow smoothly despite or even because of security measures. It also reduces the chance that vulnerabilities make it to production.

DevSecOps teams can also enable you to better leverage your existing automation, improving some of the auditing or monitoring tasks that were previously manual or disorganized, for example, log aggregation or alerting.

Also, with teams working together, unification tools, such as service meshes, are potentially easier to implement and can provide greater benefit. This is because teams can collaborate on needs and concerns, resulting in fewer roadblocks or misunderstandings during configuration.

Day 1 vs day 2 operations

For example, Helm, which is used to leverage existing machine images and configurations, is great for provisioning initial resources and deploying applications but it doesn’t provide much in the way of ongoing operations. For this, you need Kubernetes operators.

Operators enable you to package, deploy, and manage your applications by encoding operational directions and bundling these directions with your applications. You can use operators to automate lifecycle management and ensure standardized deployments. For day 2 security, you should also use them to ensure that only supported configurations are allowed to continue running.

Another day 2 concern that may be overlooked is leftover environments. Getting to production requires significant testing and practice configurations that can result in many insecure resources and configurations along the way.

Part of your day 2 responsibilities include making sure that these resources are killed and that trial configurations are unavailable for future deployments. Responsibilities also include ensuring that any ports or permissions used for initial testing are properly disabled and that temporary permissions are removed.

Kubernetes Security Best Practices

Enable role-based access controls (RBACs)

When setting up RBAC, you should prioritize namespace-specific permissions over cluster-wide permissions for more granular control. You should also avoid including cluster admin privileges in any role. These permissions are not often needed and can be more securely managed with manual access granting.

Protect your etcd cluster

Make sure that you have TLS enabled for both client-to-server and server-to-server communications to prevent request and response data from being compromised. You should also place a firewall to filter traffic and provide visibility into any data transfers that occur. Place this firewall between etcd and your API server and consider running etcd on separate nodes for greater security.

Isolate Kubernetes nodes

To isolate your streams, configure your nodes to only allow master node connections on specific ports. This can be accomplished with access control lists (ACLs) and significantly reduces the traffic you need to monitor. It also makes it easier to intercept harmful connections.

Leverage process whitelisting

Whitelisting does not require you to know anything about whether unknown processes are malicious or not. This means you can effectively block zero-day or dynamic attack processes.

Compare pod runtime activities

If you have one service that is operating differently from others, it may be an indication that something is wrong. Comparing the behavior of your resources and services can enable you to determine if a pod has been compromised or deployed illegitimately.

Monitor your deployments

Kubernetes provides native support for monitoring through Prometheus but this is primarily for metrics. For security purposes, you should consider additional utilities such as service meshes, which can aggregate visibility factors and enable greater control.

Conclusion

Kubernetes security considerations include configuring for hardening and compliance, enforcing a balance between security and agility, and monitoring security after deployments. Continuous monitoring can help you achieve visibility at all times, ensuring that your environment remains secure, and that you can respond quickly when security issues arise.

__________________________________________________________

Limor Maayan-Wainstein is a senior technical writer with 10 years of experience writing about cybersecurity, big data, cloud computing, web development, and more. She is the winner of the STC Cross-European Technical Communication Award (2008) and a regular contributor to technology publications.

Want to write an article for our blog? Read our requirements and guidelines to become a contributor.

Originally published at AltexSoft tech blog “Top Kubernetes Security Best Practices You Should Know

Written by

Being a Technology & Solution Consulting company, AltexSoft co-builds technology products to help companies accelerate growth.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store