Hardening Kubernetes:
Tips on keeping your containers secure & compliant

Toni Kuokkanen, Nordcloud’s Solution Strategist

Running a Kubernetes instance is an easy and fun thing to do, right? 

Well, yes. Kind of. Getting Kubernetes to run in the most simplistic form is fairly straightforward. But once you add more stuff on top and run it over production workloads and across data that is not just dummy demo data, things get a little more complex.

Kubernetes has been around since 2014 and has become the household name in the container market. At a high level, it’s straightforward and generally understood how it runs. But there are a few caveats you need to know if you want to be secure. 

Running the Kubernetes pods

Let’s start with the basics and focus on running the pods. Applying least privilege in this context means that we start limiting the visibility of pods. Use non-root containers where possible, which has some limitations but there is a bunch of documentation available on how to overcome this. And in version 1.22 there’s some help on running rootless containers. 

Deploy immutable filesystems

Using an immutable filesystem should be pretty standard if the nature of the application makes it feasible. In some Java-based applications, it is simply not possible. Immutable filesystems make it harder to run executables and tamper files, for payload or such.

Keep your Kubernetes up-to-date

This should be fairly standard practice but it does get a little forgotten and it has been known for there to be mishaps when upgrading installations. But if you look at the current CVEs for Kubernetes, it’s quite obvious why you need to keep up with updates. 

Configure RBAC

Enabling RBAC – a role-based access control – is a must when running Kubernetes. Again, this comes back to the least privilege principle, and limiting the visibility for the users and service accounts. And actively managing the RBAC is also a must when running a secure environment.

Network considerations

From a network perspective, we could write an entire book, but let’s try to summarize it shortly to a few key points. 

Network policies 

Use NetworkPolicies to isolate the resources and the network flow between them. This is a great tool to have almost total control over what goes in and what goes out. It might get a bit tricky to get it right but once done it really helps you sleep better at night knowing you have full control. 

Secure the control plane 

The control plane is responsible for controlling the cluster, and it is very often an attack vector when cyber criminals target an environment, so it is recommended to take some steps to make it more secure. 

Kubernetes API Server

First, let’s start with the Kubernetes API server (kube-apiserver). Make sure all API traffic is encrypted. As the basics go, all traffic should be encrypted. There are a bunch of tutorials on how to do this.

Etcd

Etcd should be used. This is a distributed and reliable key-value store, and again all data here should be protected with encryption and access control. If attackers gain access to this, they get valuable information about your environment and can gain access to multiple resources. 

Kube-scheduler, kube-controller-manager, and cloud-controller-manager

Here we need to be cautious about file permissions and make sure these only accept https traffic. They should also serve only localhost, as this service reveals metrics and health information. A similar kind of approach works for each of these services. 

So, where do I start?

To summarize: 1) Encryption, 2) RBAC, 3) limit visibility. 

Working to harden the Kubernetes environment is not an easy task as there are aspects of  configuration mistakes, vulnerabilities and runtime attacks to consider and remedy. But in this article, I’m providing a bit of an overview of how to get started and what needs to be considered. Some of these are already covered if you run your environment in the cloud (for example, Google Kubernetes Engine), but the same rules apply no matter where your workloads reside.

Need help with Kubernetes? Find out more about our Kubernetes enablement here. Or get in touch with one of our experts today.


Hey K8s heroes! We’re hiring Kubernetes engineers across our European markets right now. Find out more and apply here.

Get in Touch.

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.









    Moving SAP to Cloud
    – Benefits, Misconceptions & Considerations

    Toni Kuokkanen, Nordcloud’s Solution Strategist

    Major tech companies continue to blow the hype bubble around cloud migration, and SAP is no exception. But it’s not all noise – there are clear reasons for running SAP on public cloud. Toni Kuokkanen, Nordcloud Solution Strategist, gives his opinion on some of the misconceptions and explains the benefits.

    Why are businesses cautious about moving SAP to cloud?

    SAP is the crown jewel for many companies. The data that SAP systems hold is crucial, while the availability of SAP services underpins day-to-day operations. What this means is that some companies are hesitant to migrate SAP to the cloud. 

    Added to this, there have been some misconceptions around whether SAP in cloud is fast enough, if security in the cloud is sufficient, as well as just the fear of the unknown. 

    However, these have all been proven wrong many times. And now even the most sceptical IT leaders have started to look to the cloud for their SAP workloads.

    What do businesses need to consider?

    There are some things that need to be addressed when moving to the cloud with SAP. First and foremost is defining your reason for moving to the cloud. For example, ageing hardware and the cost of updating legacy IT is enough of a reason for many companies.

    However, we see far greater benefits to be taken from shifting SAP to cloud. For example, the potential in SAP data powering cloud-based data solutions is a great application. The Microsoft Azure Data Factory offers a SAP HANA and Business Warehouse data integration and makes it possible to digest data further. 

    When choosing a partner to move your SAP load into the cloud, you need to make sure that they offer not just SAP-specific expertise, but are also well-versed in modern cloud technologies to help you fully realise the potential of the services that public cloud can offer. Although SAP does have limitations in some instances, I expect there will be an option to use containers or serverless architecture in the near future. 

    Security considerations

    Security in the cloud is also a hot topic, with some of the headlines and controversies we have seen in the past year or so. But you can categorize 90% of those as simple user error and configuration mistakes which could have been avoided by simply doing things right. We come back again to choosing cloud-native experts that live and breathe this space. 

    I talk a lot about cloud security and it still boils down to the basics: knowing your stuff, hiring the right people, using the correct automation and planning your cloud foundation the right way. There is no silver bullet here, every piece of the puzzle must be there or you will lack something crucial. SAP deployment is no exception. It’s not rocket science, it just needs all the pieces of the puzzle.

    Which public cloud is best for running SAP?

    While Microsoft Azure offers some great building blocks for cloud foundations, the other hyperscalers are also strong contenders. Any of the big three are more or less equally suitable for running SAP in the cloud. 

    Remember, multi-cloud is an option too, allowing you to reap the benefits of different services across the hyperscalers. In my opinion, it’s worth choosing a cloud partner first and foremost, thinking about the bigger picture and not just single application needs. 

    I’ll dig a little deeper on my next blog about SAP and cloud security in general, as there are so many small details that can and should be considered when moving to the cloud and securing an existing deployment. 

    Until next time.


    Want to help us empower businesses on their cloud journeys? We’re now looking for Senior Architects to support our SAP Platform Migration to Public Cloud business. Find out more and apply today.

    Get in Touch.

    Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.