Kubernetes security can appear to be a difficult task. Kubernetes is a highly complicated system made up of numerous distinct components, so it cannot be secured by merely turning on security modules or adding security software. Instead, Kubernetes security necessitates teams addressing every type of security risk that may affect any layer or service within a Kubernetes cluster. Teams must be aware of how to secure Kubernetes components and workload .

If you’re new to Kubernetes and still trying to figure out how it all works, let alone how to keep it secure, all of this can be overwhelming. However, if you break the concepts down into manageable chunks, they are actually quite simple. To that end, this article will introduce and explain the fundamentals of various aspects of Kubernetes security, as well as the guiding principles for Kubernetes security at various levels .

CIS benchmark

The Center for Internet Security (CIS) publishes best practice security benchmarks. The CIS Kubernetes Benchmark is a set of guidelines for configuring Kubernetes to support a robust security posture. The Benchmark is associated with a particular Kubernetes release.

The Center for Internet Security ® offers a free Kubernetes benchmark. You might want to return on a regular basis for new or different information. 1. Launch your local browser and navigate to https://www.cisecurity.org/cis-benchmarks/.
Complete your contact details and accept the terms. In a minute or two, an email will be delivered to the email address provided. The email includes a link to Access the PDFs, which will take you to a website where you can download the freely available PDFs.
Skim to the bottom of the list to find the Kubernetes content.

Retrieve the most recent CIS Kubernetes Benchmark.
Through using kube-bench tool, resolve any major issues.

More details are available at

• https://www.cisecurity.org/benchmark/kubernetes/
• https://www.cisecurity.org/cis-benchmarks/#kubernetes
• https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/cis-benchmarks-supported-by-cis-cat-pro/

kube–bench

Aqua Security’s kube-bench tool determines whether Kubernetes is securely deployed by running the checks documented in the CIS Kubernetes Benchmark. It’s open-source and completely free.

https://killercoda.com/killer-shell-cks/scenario/cis-benchmarks-kube-bench-fix-controlplane

Securing the kube-apiserver 

As you may recall, every API call as part of the kube-apiserver goes through three phases:

• Admission Control
• Authentication
• Authorization

As a result, the kube-apiserver is a prime target for controlling or preventing cluster operation. It is critical to avoid even evaluating unwanted traffic.

RBAC

https://killercoda.com/killer-shell-cks/scenario/rbac-user-permissions

Using Service Accounts

https://killercoda.com/killer-shell-cka/scenario/rbac-serviceaccount-permissions

Enable API Server Auditing

https://killercoda.com/killer-shell-cks/scenario/auditing-enable-audit-logs

When activated, each API call is audited, even if it is eventually rejected by a filter. Since the audit information is generated by the kube-apiserver, the process will consume more memory.
Every call is divided into three phases: receiving the call (RequestReceived), handling the call (ResponseStarted), and making the response call (ResponseComplete). There is also the possibility of a panic if there is a problem (Panic).
In order, each event is compared to the rules. The first of one or more matching rules determines the audit level for the event. The audit levels are as follows:

Encrypt your Data At Rest

To encrypt secrets at rest, the kube-apiserver must be updated to use a newly configured encryption provider configuration rather than just a symmetrical base64 encoding. Because encryption occurs during the write, every secret must be re-written after the kube-apiserver has been updated and restarted.

https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

As secrets are base64 encoded, and not encrypted by default they may not be as secure as desired. In this lab we will configure the API server to encrypt the secrets

Harden Kubernetes Networking

Implement Network Security Policy

https://killercoda.com/killer-shell-ckad/scenario/networkpolicy-namespace-communication

https://killercoda.com/killer-shell-cks/scenario/networkpolicy-create-default-deny

Configure an Ingress Controller 

https://killercoda.com/killer-shell-cks/scenario/ingress-create

Configure mTLS 

https://killercoda.com/killer-shell-cks/scenario/ingress-secure

Secure Your Kubernetes Workload

ImagePolicyWebhook

https://killercoda.com/killer-shell-cks/scenario/image-policy-webhook-setup

Image Analysis With Trivy 

https://killercoda.com/killer-shell-cks/scenario/image-vulnerability-scanning-trivy

Using Falco to Monitor Audit Events

https://killercoda.com/killer-shell-cks/scenario/falco-change-rule

Working with AppArmor Profiles

https://killercoda.com/killer-shell-cks/scenario/apparmor

Gvisor for sandboxing containers

https://killercoda.com/killer-shell-cks/scenario/sandbox-gvisor

Create Immutable pods

Create an immutable pod in the prod-b namespace. 

https://killercoda.com/killer-shell-cks/scenario/immutability-readonly-fs