Without a doubt, Kubernetes has made a name in the DevOps industry. Along with allowing you to provision your containers and manage them with efficiency, it also comes with an easy setup.
However, Kubernetes is not highly secure and the cloud infrastructure adds to the limitations. So, this post will cover a few suggestions to make your Kubernetes environments more secure.
Ensure that your Kubernetes version is up to date
Make sure you keep track of Kubernetes’ quarterly updates. We recommend updating and running the latest patches in a timely manner. This would also help you be aware of new features and you can take advantage of them without having a backlog of updates.
Enable Role-Based Access Control
Role-Based Access Control (RBAC) is usually enabled by default in Kubernetes 1.6. Check your settings and enable RBAC while disabling legacy Attribute-Based Access Control (ABAC). In case you have upgraded beyond 1.6 and haven’t changed your configuration, you’ll want to double-check your settings.
Avoid provisioning cluster-wide permissions and giving anyone cluster-admin privileges. In case of the account being compromised, these controls save you a lot of trouble.
For creating first level isolation, namespaces help in applying security controls when different workloads are deployed. They isolate the components and thus make it easier to command.
At the same time, it is recommended to limit the use of namespaces.
Many experts advise restricting API access by IP address and allowing access from trusted IPs such as a VPN or bastion host. Another restriction to implement is the SSH access to your Kubernetes nodes.
Network policies allow you to restrict access to services within your Kubernetes cluster. You can also use them to restrict access to your cloud’s metadata API from pods in your cluster.
Manage sensitive workloads
Kubernetes has a provision to implement more restrictive policies on sensitive workloads to avoid any kind of data breach. It helps you tag a cluster of worker nodes and schedule pods to those nodes with RBAC roles.
Define audit policies
Logs help in identifying problems with the system and also detecting how hackers are bypassing security layers. Creating audit policies in Kubernetes can help. Enabling logs can help you have a centralized place to persist in the logs. Further, you can configure alerts, send notifications, or use webhooks to automate a patch.
Audit logging can be enabled in the control plane for major cloud providers in case you are running it in the cloud.
If you have Kubernetes 1.13, you can enable encryption at rest to control the etcd access. The database related to the cluster, workloads and more in etcd can leak passwords and accesses to hackers. If you use key management service (KMS) providers, the master key helps in safeguarding your secrets with encrypted backups.
Define a pod security policy
Another significant admin control is a pod security policy. It sets defaults for the workloads, determining how they are allowed to run the cluster. Defining a policy here can help you secure your Kubernetes environment.
Harden node security
Further, Kubernetes can be secured by improving the security posture on nodes. These are a few steps that can be taken in that direction:
- Check your configuration against CIS benchmarks, or look for an auto checker that can assess conformance with the standards. This ensures that the host is secure and configured correctly.
- You can limit the access to the Kubernetes API server in order to control access to sensitive ports.
- Do not grant access to nodes in the cluster for debugging and other tasks that can be handled without direct access. This will minimize the administrative access to the Kubernetes nodes.
Use network policies to control traffic
Network policies act as communication channels for pods. By default, the network policy does not apply to a pod. With a network policy in place, the pod can only communicate with the assets defined, unlike contacting every other pod in the environment. Network policies provide security control to prevent lateral movement and avoid attackers breaking in. This is a good practice for containers with critical data requiring a high level of security.
We hope these tips help you to create a safety net for your clusters and improve your Kubernetes environment experience.
That's not all, we have an array of tips that can aid your journey to become a Certified Kubernetes Administrator and further improve your skills.