Securing the Kubernetes cluster
When utilizing Kubernetes clusters, it is important to dive into some of the best practices to keep them secure.
Security for the Kubernetes cluster
Your role as an administrator will vary depending on the type of Kubernetes cluster you are running. If you run workloads in a managed cluster, some of the cluster security (such as security of the control plane components and operating system patches) is handled by the cloud provider. This means you as an administrator have to take part in securing some part of the cluster.
The code is run in the containers and the images used to spin up the clusters are still fully managed by you, so you should consider appropriate security controls. If we are on an on-premise Kubernetes cluster, we are fully responsible for securing the cluster. This includes hardening the master and worker nodes, securely configuring administrative interfaces, running containers with secure configurations, ensuring that the applications being deployed are free of any vulnerabilities and the list goes on. In essence, we are responsible for securing every component of the cluster.
In addition to the security controls, we will also need to establish appropriate monitoring controls in the cluster to be able to detect any malicious activities.
Learn Container Security
Security inside the cluster
As discussed in the intro to Kubernetes article, Kubernetes clusters come with several different components such as those that run in master nodes and those that run in worker nodes. Every component in the cluster including the nodes must be secured to achieve better security for the cluster.
Let us discuss some of the common security best practices to consider inside a cluster.
Control plane
A control plane is installed on the master node of a cluster, and protecting a control plane is essential to the security of a cluster. By default, Kubernetes provides a reasonable level of security to the control plane components. For example, only an API server can directly communicate with the control plane components such as etcd. However, administrators should be careful when changing the defaults and additional hardening may be required in some cases.
For instance, an API server can be exposed for debugging purposes, which will enable any user to talk to the API server without requiring authentication and authorization when interacting with the cluster. This is done by modifying the kube-apiserver.yaml file available in /etc/kubernetes/manifests/ directory. This should be avoided as anonymous access to the API server will lead to full cluster compromise.
Similarly, other control plane components such as scheduler, controller manager and etcd must be protected by binding them to localhost and enforcing certificate-based authentication. The control plane components should also be regularly updated to the latest version.
Nodes
Worker nodes are where the application workloads are typically run. A compromised node can lead to a full cluster compromise. The nodes’ host operating system must be fully patched and appropriately hardened.
Kubelet is one of the key components of the worker nodes. Other components in the cluster can interact with the Kubelet through an API. This Kubelet API can be configured to be accessible from any machine in the network with anonymous access. This will lead to information disclosure as well as remote command execution on the pods running on the affected node. So, such changes to the default configuration must be avoided.
Pods
A pod is the smallest unit of work in Kubernetes. One or more containers can run in a pod.
One of the commonly seen security issues with pods is overly permissive service accounts mounted onto them. When a pod is compromised, a service account is usually accessible by default. If this service account is overly permissive such as with cluster-admin privileges, the attacker can achieve full cluster compromise. So, it is recommended to use the least privileged access wherever possible.
In addition to it, all pods will be in a flat network by default and any pod can communicate with any other pod in the cluster. So, it is recommended to use network policies to control unwanted communications.
Containers
All the container security misconfigurations can be applied in Kubernetes environments too. When a container that is part of the application workload is compromised, it is possible to abuse misconfigurations and gain access to the underlying worker node and possibly master node.
As an example, a container started as privileged can lead to container escape and unauthorized access on the underlying worker node. Security hygiene must be maintained when running containers in Kubernetes clusters.
Ensuring a Kubernetes cluster is secure
A Kubernetes cluster is made of several components and the security of every component is crucial in protecting a cluster. A simple misconfiguration in one component can lead to full cluster compromise.
So, it is recommended to appropriately harden every component in the cluster.
11 courses, 8+ hours of training
Sources:
Controlling access to the Kubernetes API, Kubernetes
Kubernetes components, Kubernetes
ReplicationController, Kubernetes
Learn Container Security
Containers are changing the way applications are developed, tested and deployed. Learn how to make them secure. What you'll learn:- How containers work
- Docker and Kubernetes
- Container life cycle
- Secure cluster maintenance
- And more
In this Series
- Securing the Kubernetes cluster
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
- Introduction to the OWASP API Top Ten
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security