Securing Kubernetes: Best Practices

By on

Click here to learn more about Gilad David Maayan.

Kubernetes (k8s) is a popular container orchestration platform. However, the rush to adopt k8s technologies can lead to errors. In an already dangerous digital sphere, there’s no room for mistakes. Threat actors will take advantage of any vulnerability they can find. Once exploited, your vulnerability can turn into a nightmare of epic proportions.

In December 2018, the first major vulnerability in Kubernetes was discovered. It was named CVE-2018-1002105, and it can be used to attack clusters via the Kubernetes API server. A recent scan discovered 37 vulnerabilities in Kubernetes. As more organizations adopt containerization, securing Kubernetes becomes crucial for the health of applications.

Key Security Best Practices for Kubernetes

Image Source: Wikimedia

1. Reduce Network Exposure

Kubernetes can potentially expose API services or data storage, so reducing the exposure surface is the first security measure you should take. You should install the k8s cluster in a private network, or at the very least in a public network behind solid firewalls.

2. Isolate Resources

k8s clusters are accessed by different customers and applications, which sometimes causes security issues. For instance, containers can monopolize resources usage, creating performance issues for other applications. You can prevent these issues by restricting resource requests in the Kubernetes ‘Resource Requests and Limits’ menu.

3. Restrict Privileges in Containers

Contrary to popular belief, containers are not completely isolated. Processes and resources are shared by all containers. You can limit the privileges of containers to a minimum by running containers as non-root. You can also restrict access to the host resources by running containers as non-privileged.

4. Log and Audit

This process consists of two key steps.

  • Monitor the Logs: You should monitor both application logs and cluster logs to look for anomalies. There are a number of tools you can use, such as ELK stack (ElasticSearch, Logstash, and Kibana), and Amazon Cloudwatch for companies running k8s in AWS.
  • Audit:  Setting regular security audits can help you find vulnerabilities. Some tools you can use to automate the auditing include Clair and OpenScap.

5. Control the Source of Container Images

Containerization enables you to build using public container images. However, you can end up using a compromised container image. It is important to use images from trusted sources. If you don’t know the source of the container image you just found, don’t use it.

6. Encrypt Secrets at Rest

If attackers get access to etc. – the storage layer of k8s – they can access sensitive information. From Kubernetes 1.13 and up you can enable encryption at rest. This means that all backups are encrypted. It is advisable to use a key management service.

7. Segregate Sensitive Data

You can also separate sensitive data from the rest by using k8s features like namespaces, taints or tolerations. This practice, combined with Role-Based Access Control (RBAC), can allow you to restrict access to worker nodes containing confidential workloads.

8. Keep k8s Versions Up-to-date

It may seem obvious, but one of the most basic security practices is to keep your k8s release updated. This will allow you to apply the latest patches. If you are running your cluster in the cloud, some vendors will update the release for you. If you want to do it yourself, you can check this post by Google about how to update the cluster with no downtime.

9. Enable Role-based Sccess Control (RBAC)

You should make sure RBAC is enabled in the cluster for defining permissions to users requesting access to the API. By using RBAC the default mode is denying access and only gives permission to the roles you specified. You can also create cluster roles. This will enable you to give permission to all namespaces.

Securing Kubernetes Cluster Components

Securing the Pod

Pods consist of a group of containers that are deployed together and share the same resources. The pod is the basic executable unit of k8s. There are several attack vectors that can affect a container inside a pod. Here are two security measures you can implement to protect pods:

  • Use a Minimalist OS: Using a basic OS can prevent unwanted processes and unaccredited software from being executed as part of the cluster.
  • Configure the Communication Between Pods: Ensure only approved ports and destinations are used by the service. This can block attackers from reaching other pods.

Securing the Node

K8s nodes can run on a cloud-managed cluster, an on-premise deployment, or a hybrid environment. These nodes often use disks for persistency. You can protect these disks with permission management and data encryption.

Securing the Network

Attackers can perform Distributed Denial of Service (DDoS) attacks to find a loophole and gain access to the cluster. DDOS attacks flood the network with fake requests, thus causing its collapse and preventing access from legitimate requests. Virtual Private Clouds (VPC) networks can provide a degree of isolation for the cluster.

Wrap Up

Protecting a Kubernetes cluster is not an easy feat. The variety of attack vectors that exist, and the fast-paced adoption of this technology, make it vulnerable. Companies running k8s should implement security practices to ensure the protection of the network, the cluster, and its components. You can use this article as a starting point but be sure to continually increase your knowledge base. Timely information can often be the difference between a breach and a minor incident.

We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept