Virtualization Technology News and Information
Your Quick Start Guide to Better Kubernetes Security

Written by Shiri Ivtsan, Product Manager, WhiteSource

Security teams often get left behind when it comes to new technologies. Developers and architects play with new toys and stretch their capabilities with glee. They get the fun job of seeing what's possible. Developers see Kubernetes and imagine the utopia of container orchestration and all that is possible with it. 

Security teams see Kubernetes and other new technologies with cautious optimism. It'll be a great tool for the business, for sure, but then the hammer will drop. The security team will get the call to figure out how to use these amazing new tools without increasing risk. That's the hard part of the job.

Let's make things a little easier. We've compiled a short, simple quick start guide to securing Kubernetes. While not a comprehensive guide, here you'll find the basic principles that'll get you started. You'll be able to build and speak intelligently about your Kubernetes security strategy. You'll also have what you need to dig deeper into the topic when the time is right.

Use Pod Security Policies

Pod security policies are a powerful tool used to ensure all pods conform to a security standard before being accepted into a cluster. Think of security policies as cluster border patrol; each pod is checked thoroughly before being allowed into the cluster.

Not all Kubernetes distributions have pod security policies turned on by default. Make sure the distribution you're using has policies and enable them.

Here are some basic pod security policies you need to configure for a secure Kubernetes cluster:

  • Prevent containers from running as a privileged user
  • Prevent containers from writing to the file system
  • Prevent privilege escalation (yes, you have to explicitly enable this)
  • Prevent containers from running as root

It's also a good practice to group these policies into a single file for easier deployment. Check out our post on pod security policies to learn how to enable each of these policies in your Kubernetes cluster.

Use Kubernetes Networking Effectively

Networking in Kubernetes can be complex; take the time to learn how to do it effectively. Kubernetes' container network interface (CNI) helps to simplify networking between pods so you can set security policies more easily.

Access control lists (ACLs) have long been used in networking to control which machines are allowed to connect to each other. ACLs should be used within a Kubernetes cluster for fine-grained control of which pods can connect with other pods and external services.

Project Calico is an open source project built to provide security policies for Kubernetes clusters. With it, you can define security policies that are available to developers to assign to their applications during deployment.

Fine-grained control over your Kubernetes cluster's internal network will provide a layer of defense against malicious attackers who try to take over containers. Get familiar with Kubernetes networking and use good tools to keep your network secure.

Pay Attention to What Your Containers are Using

Scanning applications during the development process for known vulnerabilities has become a common practice. Finding problems earlier in the development lifecycle saves money. And with the growing usage of open source projects, the exposure to third party components with known vulnerabilities has significantly increased.

The problem is that despite the fact that containers rely heavily on open source libraries as dependencies, the same focus on scanning containers to detect known vulnerabilities hasn't hit the mainstream. Another important aspect when it comes to known vulnerabilities is that in many cases vulnerabilities are discovered years after a certain library was released, so your deployed container may become vulnerable post deployment.

You need to ensure your containers are not using components with known vulnerabilities. Almost all container security and software composition analysis (SCA) tools are able to scan your container images and containers for real-time alerts and some can even integrate with Kubernetes and enforce security policies in real time.

Remember Fundamental Container Security

At its heart, Kubernetes is just a group of containers joined together to perform a function. The individual containers must be secure in order to keep the whole cluster secure. You only need to remove one card from a house of cards to make it fall. Similarly, an attacker could attack the entire cluster if one or more of the individual containers are compromised.

Don't run containers as root. Containers with root privileges have control over the host machine. Once an attacker gains control of a container with root access, your host is compromised and you have a major problem on your hands. It's extremely rare that a container requires root privileges; running as root is sloppy and unnecessary.

Download only trusted container images. There are many repositories on the Internet. Downloading container from any repository that hasn't been vetted can lead to compromise through infected containers. Even if malware isn't present, such containers may use vulnerable libraries as dependencies, further exposing you to unnecessary risk.

Set resource limits on your containers. Resource limits prevent one container from taking up too much CPU and memory on the host machine. Setting limits not only makes your cluster more efficient but prevents a compromised container from being used for crypto mining or other resource-intensive--and nefarious--activities.

Finally, you need to secure your Docker registry. It's great to have a central repository for all of your Docker images, but just any registry is not good enough. Use Docker Trusted Registry or other registry solutions that allow you to install a registry behind your firewall. You'll have complete control over what images make it into the registry while preventing someone from outside your company from making changes.

Keeping these basic security controls in mind will help you build your Kubernetes cluster with a sound foundation of secure containers.

Be Prepared to Secure Kubernetes

Use the tips presented here to build a high-level security strategy for your Kubernetes installation. You're prepared for anyone who asks how to secure your cluster.

The next steps are up to you. Use these tips as a road map for your continued research. Dig into the topics as you implement your strategy to ensure they're done right.

With a strong strategy and good execution, you'll see the benefits of using Kubernetes while keeping your company's assets safe.


About the Author

Shiri Ivtsan 

Shiri Ivtsan is an experienced cloud solutions architect and product manager and holds a B.Sc. in Industrial Engineering and Management. Prior to joining WhiteSource as a product manager, Shiri worked for various companies where she held roles in R&D, such as solutions architect, R&D team leader and product manager.

Published Thursday, May 16, 2019 7:21 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2019>