Kubernetes is an extensible, portable, open-source container orchestration platform that dominates the enterprise market. Thousands of organizations use Kubernetes to manage container workloads and services, making it a large and vibrant ecosystem. This means that Kubernetes security tools, support, and services are widely available.
However, Kubernetes environments also have serious security risks, such as runtime security incidents and cluster misconfigurations. Kubernetes security risks typically fall into various stages of the container lifecycle.
Kubernetes security best practices and practical advice relate to:
- Responding effectively to threats at runtime
- Avoiding misconfigurations during deployment and build phases
- Fixing known vulnerabilities during build phases
Below we cover a few important Kubernetes security best practices that can help you secure your clusters.
1. Isolate Sensitive Workloads
Run sensitive workloads on a dedicated set of machines to limit the potential impact of compromise. This approach reduces the risk of accessing sensitive applications through shared container runtimes or less-secure applications. It also reduces the risk of attackers compromising secrets stored on sensitive nodes.
This isolation can be achieved using node pools (cloud or on-premises), Kubernetes namespaces, taints, tolerations, and other controls.
2. Enable Role-Based Access Control (RBAC)
Use Kubernetes role-based access control (RBAC) to control who can access Kubernetes APIs and what permissions they have. RBAC is enabled by default in Kubernetes 1.6+.
Even after applying RBAC, you still need to use it effectively. In general, you should prefer namespace-specific permissions and avoid cluster-wide permissions. Do not grant cluster administrator privileges to anyone, even for debugging purposes. It’s much safer to grant access on a case-by-case basis only when needed.
If your application needs access to the Kubernetes API, create a separate service account and grant each minimal set of permissions required to use your site. This is better than granting broad permissions to the namespace default account.
3. Implement a Service Mesh
A service mesh is an infrastructure layer for microservice applications that helps reduce the complexity of managing microservices and deployments by centrally handling inter-service communication. A service mesh is well-suited for troubleshooting operational issues and problems with running containers and microservices, as it provides a unified way to secure, connect, and monitor microservices.
A service mesh provides tracing and telemetry metrics that make it easier to understand your system and resolve root causes.
Service mesh solutions provide security features designed to secure services on your network and quickly identify dangerous traffic entering your cluster. A service mesh makes security easier to manage with mTLS, ingress and egress control, and more.
4. Leverage Kubernetes Monitoring and Security Tools
Kubernetes is an orchestrator, a set of APIs that can be used to build and run a variety of workloads, but it cannot be run as a standalone solution in most production environments. Instead, it relies on configuration and third-party tools to meet security standards.
The following Kubernetes security tools can help you to monitor workloads in a production environment:
- Behavioral analytics and network monitoring tools—all applications follow a pattern. However, changes, such as new releases, marketing campaigns, peaks in traffic, or security breaches, deviate from this pattern. Understanding these anomalies and their causes is critical to quickly mitigating security breaches. The downside is that these tools require a skilled operator to actively monitor and determine if action is needed.
- Logging and monitoring tools—by default, microservices platforms split container logs into different services. Requests often move between multiple services until they are completed. So without a dedicated tool that captures all the logs and stores them in a centralized environment, it’s very difficult to get the full picture of a full request and detect if something went wrong. Dedicated container logging and monitoring tools can centralize logs and perform distributed tracing, which is critical for troubleshooting. Security information and event management (SIEM) solutions help combine this data with security events across the organization.
- Networking tools—the Kubernetes distribution provides default settings, and it is possible to modify these settings according to security best practices. However, in most cases you will need a dedicated container networking tool. Examples include the open source Calico project, and for larger-scale deployments, a service mesh like Istio.
5. Scan Container Images
Avoid using container images from public repositories such as DockerHub, or at least only use container images from official vendors such as Ubuntu and Microsoft (News – Alert). A better approach is to use a Dockerfile to define, build, and publish images to a private image repository, where you have more control. However, whether you build your own container images or use pre-existing images, make sure you use tools to scan containers for potential vulnerabilities.
Conclusion
In this article, I explained the basics of Kubernetes security and covered 5 best practices that can improve your security posture:
- Isolate sensitive workloads to prevent lateral movement
- Enable Role-Based Access Control (RBAC) to ensure granular access control
- Implement a service mesh to ensure all communications inside and outside the cluster are secure
- Leverage Kubernetes monitoring and security tools to discover incidents and respond to them
- Scan container images for vulnerabilities
I hope this will be useful as you level up your Kubernetes security efforts.
Author Bio: Gilad David Maayan
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP (News – Alert), Imperva, Samsung NEXT, NetApp and Check Point, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.
LinkedIn (News – Alert): https://www.linkedin.com/in/giladdavidmaayan/
