Kubernetes security can appear to be a difficult task. Kubernetes is a highly complicated system made up of numerous distinct components, so it cannot be secured by merely turning on security modules or adding security software. Instead, Kubernetes security necessitates teams addressing every type of security risk that may affect any layer or service within a Kubernetes cluster. Teams must be aware of how to secure Kubernetes components and workload .
If you’re new to Kubernetes and still trying to figure out how it all works, let alone how to keep it secure, all of this can be overwhelming. However, if you break the concepts down into manageable chunks, they are actually quite simple. To that end, this article will introduce and explain the fundamentals of various aspects of Kubernetes security, as well as the guiding principles for Kubernetes security at various levels .
CIS benchmark
The Center for Internet Security (CIS) publishes best practice security benchmarks. The CIS Kubernetes Benchmark is a set of guidelines for configuring Kubernetes to support a robust security posture. The Benchmark is associated with a particular Kubernetes release.
The Center for Internet Security ® offers a free Kubernetes benchmark. You might want to return on a regular basis for new or different information. 1. Launch your local browser and navigate to https://www.cisecurity.org/cis-benchmarks/.
Complete your contact details and accept the terms. In a minute or two, an email will be delivered to the email address provided. The email includes a link to Access the PDFs, which will take you to a website where you can download the freely available PDFs.
Skim to the bottom of the list to find the Kubernetes content.
Retrieve the most recent CIS Kubernetes Benchmark.
Through using kube-bench tool, resolve any major issues.
More details are available at
- https://www.cisecurity.org/benchmark/kubernetes/
- https://www.cisecurity.org/cis-benchmarks/#kubernetes
- https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/cis-benchmarks-supported-by-cis-cat-pro/
kube–bench
Aqua Security’s kube-bench tool determines whether Kubernetes is securely deployed by running the checks documented in the CIS Kubernetes Benchmark. It’s open-source and completely free.
https://killercoda.com/killer-shell-cks/scenario/cis-benchmarks-kube-bench-fix-controlplane
Securing the kube-apiserver
As you may recall, every API call as part of the kube-apiserver goes through three phases:
- Admission Control
- Authentication
- Authorization
As a result, the kube-apiserver is a prime target for controlling or preventing cluster operation. It is critical to avoid even evaluating unwanted traffic.
RBAC
https://killercoda.com/killer-shell-cks/scenario/rbac-user-permissions
Using Service Accounts
https://killercoda.com/killer-shell-cka/scenario/rbac-serviceaccount-permissions
Enable API Server Auditing
https://killercoda.com/killer-shell-cks/scenario/auditing-enable-audit-logs
When activated, each API call is audited, even if it is eventually rejected by a filter. Since the audit information is generated by the kube-apiserver, the process will consume more memory.
Every call is divided into three phases: receiving the call (RequestReceived), handling the call (ResponseStarted), and making the response call (ResponseComplete). There is also the possibility of a panic if there is a problem (Panic).
In order, each event is compared to the rules. The first of one or more matching rules determines the audit level for the event. The audit levels are as follows:
Encrypt your Data At Rest
To encrypt secrets at rest, the kube-apiserver must be updated to use a newly configured encryption provider configuration rather than just a symmetrical base64 encoding. Because encryption occurs during the write, every secret must be re-written after the kube-apiserver has been updated and restarted.
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
As secrets are base64 encoded, and not encrypted by default they may not be as secure as desired. In this lab we will configure the API server to encrypt the secrets
Harden Kubernetes Networking
Implement Network Security Policy
https://killercoda.com/killer-shell-ckad/scenario/networkpolicy-namespace-communication
https://killercoda.com/killer-shell-cks/scenario/networkpolicy-create-default-deny
Configure an Ingress Controller
https://killercoda.com/killer-shell-cks/scenario/ingress-create
Configure mTLS
https://killercoda.com/killer-shell-cks/scenario/ingress-secure
Secure Your Kubernetes Workload
ImagePolicyWebhook
https://killercoda.com/killer-shell-cks/scenario/image-policy-webhook-setup
Image Analysis With Trivy
https://killercoda.com/killer-shell-cks/scenario/image-vulnerability-scanning-trivy
Using Falco to Monitor Audit Events
https://killercoda.com/killer-shell-cks/scenario/falco-change-rule
Working with AppArmor Profiles
https://killercoda.com/killer-shell-cks/scenario/apparmor
Gvisor for sandboxing containers
https://killercoda.com/killer-shell-cks/scenario/sandbox-gvisor
Create Immutable pods
Create an immutable pod in the prod-b namespace.
https://killercoda.com/killer-shell-cks/scenario/immutability-readonly-fs