Member post originally published on the ARMO blog by Ben Hirschberg
Kubernetes security is a critical part of the app lifecycle, through the build, deployment and runtime stages. Kubernetes runtime environments are dynamic and continuously changing. As clusters are replaced and permissions reassigned, security becomes an innate part of DevOps.
It is important to ensure that malware and other malicious attacks do not access the cloud, as they might lead to system failures, servers going down, and more. According to a paper by Red Hat, 93% of people faced a security issue in their Kubernetes environment in 2022.
To ensure that your Kubernetes infrastructure is safe and protected, DevOps engineers leverage Kubernetes security tools. The tools check for vulnerabilities, misconfigurations, and other issues in the Kubernetes environment that increase the attack surface. Considering organizations may have vast environments with many clusters, containers, and nodes, engineers turn to security tools to streamline security.
Kubernetes security domains
Kubernetes security can be divided into four layers. These 4 layers, also known as the 4Cs of Kubernetes security, are:
- Cloud
- Cluster
- Container
- Code
These are the four levels at which security must be ensured. But what do each of these layers signify, and what kind of security measures must one take? Don’t worry I’ve got you covered. Allow me to explain.
Cloud
The cloud is the base on which everything else is built and deployed. So if the security on this layer is not strong, then security measures on other layers will be rendered ineffective. Whether you’re using Amazon Web Services, IBM, Google Cloud Platform, or a different public cloud, they each offer security recommendations and best practices. As a rule of thumb, follow these to ensure your cloud’s safety. However, be aware of what they do and don’t cover under the shared responsibility model.
Cluster
The next layer is the cluster layer. This layer has two concerns: the security of the cluster components and the applications running in these clusters. Some of the practices to follow to secure your cluster and the application within it include:
- All API traffic accessing the cluster must be encrypted using Transport Layer Security (TLS).
- All API clients, including nodes, proxies, schedulers, and more within the Kubernetes infrastructure, must be authenticated. Based on the cluster size, you can choose the type of authentication to be used. You can use a static Bearer token approach, OIDC, or LDAP.
- After being authenticated, the different users must go through the authorization step. This way, the different users can be matched with the permissions assigned to them for the respective resources. Thus, users without permission on a specific resource will not be able to access or operate on the resource.
- DevOps engineers must also control access to kubelet which has endpoints that can control nodes and containers.
- Limit the number of resources assigned to a namespace.
- Limit the number of users who can access a specific resource at the same time.
- Control the kind of privileges containers can run based on the functions they perform.
- Do not let containers run unnecessary kernel modules.
- Use network policies to control access to the network. This involves controlling the visibility of applications outside the cluster, managing the network rules, allowing and disallowing the exchange of information between nodes, and more.
- Do not allow access to the metadata of Cloud API.
Besides these, there are many other practices one must follow to ensure cluster component security.
Container
Containers are the third layer of Kubernetes security. A few common security challenges and best practices include:
Area of Concern for Containers | Recommendation |
---|---|
Container Vulnerability Scanning and OS Dependency Security | As part of an image build step, you should scan your container images and your containers for known vulnerabilities. |
Image Signing and Enforcement | Sign container images to maintain a system of trust for the content of your containers. |
Disallow privileged users | When constructing containers, ensure you create users that have the least level of operating system privilege necessary to carry out the goal of the container. |
Use container runtime with stronger isolation | Select container runtime classes that provide stronger isolation. |
Code
Code is the final layer of security where most attacks happen. Thus it is imperative to secure the code layer with the best security measures. Some of the common practices include:
- Access to code must only be over the TLS.
- Audit the code and check for security vulnerabilities using third-party tools based on the type of code used.
- Limit access to the code and expose only those ports which are absolutely necessary for communications.
- Try testing your code against simulations of common service attacks. Shedding light on the strength of your code and its resilience to frequently occurring attacks.
Top Kubernetes security tools
Now that you have an overview of Kubernetes security, let’s look at some of the top Kubernetes security tools. They can help you ensure the safety of your Kubernetes environment.
Kubescape
Kubescape is a security tool with features that cater specifically to Kubernetes environments and infrastructure.
- Kubescape detects misconfigurations and provides remediation advice to eliminate them. With this, you can reduce the attack surface and harden your Kubernetes system.
- Kubescape can also scan images for vulnerabilities, to ensure you are aware of what goes into your environment.
- Supporting many frameworks and standards, Kubescape ensures that your infrastructure is compliant with the latest security standards and follows best practices.
- The tool automates security and compliance for complex DevOps workflows in the environment. It also enables you to secure the CI/CD pipelines.
- Besides this, it also offers a visual graph of the RBAC configuration. Built-in and ad-hoc queries help you investigate and monitor access to different resources.
For additional aspects of security we suggest checking out some of the following security tools. Here are some examples of leading tools that specialize in different security domains:
Tool: Cillium
Domain: Network security
Description: A cloud-native solution for securing Kubernetes environments.
- Network visibility and observability within Kubernetes clusters
- Threat protection to detect and mitigate attacks
- Fine-grained policy enforcement
Tool: Falco
Domain: Runtime security
Description: An open-source activity monitoring and intrusion detection system.
- Monitors containers to detect suspicious behavior and potential threats
- Utilizes a powerful rule engine to create custom rules and policies
- Sends real-time alerts that enable quick responses to security incidents
Tool: Checkov
Domain: IaC security
Description: An open-source scanner for identifying misconfigurations and mitigating risks.
- Scans infrastructure-as-code files and configurations
- Provides a wide range of predefined policies and best practices
- Offers integration with CI/CD pipelines enabling proactive security measures
Tool: Kong
Domain: API server security
Description: An API gateway and service mesh platform designed to enhance security.
- Enabling authentication, authorization, and access for APIs running in clusters
- Providing encrypted and authenticated communications between services
- Offering detailed logging, monitoring and analytics capabilities
Tool: Kube-audit
Domain: Compliance and governance
Description: A tool for auditing and logging activities within a Kubernetes cluster
- Captures events related to resources, APIs, configurations and user activity
- Provides post-mortem insights into security breaches and policy violations
- Maintains a comprehensive audit trail for proof of regulatory/internal compliance
Conclusion
In conclusion, organizations that use Kubernetes should ensure they have strong security measures in place. As these environments become more complex and dynamic, the need for more effective security tools becomes critical.
Each tool discussed in this article can help you secure part of the 4Cs mentioned above. Consider using a combination of tools, best practices, and regular audits to stay safe.