Tips on keeping your containers secure & compliant
Running a Kubernetes instance is an easy and fun thing to do, right?
Well, yes. Kind of. Getting Kubernetes to run in the most simplistic form is fairly straightforward. But once you add more stuff on top and run it over production workloads and across data that is not just dummy demo data, things get a little more complex.
Kubernetes has been around since 2014 and has become the household name in the container market. At a high level, it’s straightforward and generally understood how it runs. But there are a few caveats you need to know if you want to be secure.
Running the Kubernetes pods
Let’s start with the basics and focus on running the pods. Applying least privilege in this context means that we start limiting the visibility of pods. Use non-root containers where possible, which has some limitations but there is a bunch of documentation available on how to overcome this. And in version 1.22 there’s some help on running rootless containers.
Deploy immutable filesystems
Using an immutable filesystem should be pretty standard if the nature of the application makes it feasible. In some Java-based applications, it is simply not possible. Immutable filesystems make it harder to run executables and tamper files, for payload or such.
Keep your Kubernetes up-to-date
This should be fairly standard practice but it does get a little forgotten and it has been known for there to be mishaps when upgrading installations. But if you look at the current CVEs for Kubernetes, it’s quite obvious why you need to keep up with updates.
Enabling RBAC – a role-based access control – is a must when running Kubernetes. Again, this comes back to the least privilege principle, and limiting the visibility for the users and service accounts. And actively managing the RBAC is also a must when running a secure environment.
From a network perspective, we could write an entire book, but let’s try to summarize it shortly to a few key points.
Use NetworkPolicies to isolate the resources and the network flow between them. This is a great tool to have almost total control over what goes in and what goes out. It might get a bit tricky to get it right but once done it really helps you sleep better at night knowing you have full control.
Secure the control plane
The control plane is responsible for controlling the cluster, and it is very often an attack vector when cyber criminals target an environment, so it is recommended to take some steps to make it more secure.
Kubernetes API Server
First, let’s start with the Kubernetes API server (kube-apiserver). Make sure all API traffic is encrypted. As the basics go, all traffic should be encrypted. There are a bunch of tutorials on how to do this.
Etcd should be used. This is a distributed and reliable key-value store, and again all data here should be protected with encryption and access control. If attackers gain access to this, they get valuable information about your environment and can gain access to multiple resources.
Kube-scheduler, kube-controller-manager, and cloud-controller-manager
Here we need to be cautious about file permissions and make sure these only accept https traffic. They should also serve only localhost, as this service reveals metrics and health information. A similar kind of approach works for each of these services.
So, where do I start?
To summarize: 1) Encryption, 2) RBAC, 3) limit visibility.
Working to harden the Kubernetes environment is not an easy task as there are aspects of configuration mistakes, vulnerabilities and runtime attacks to consider and remedy. But in this article, I’m providing a bit of an overview of how to get started and what needs to be considered. Some of these are already covered if you run your environment in the cloud (for example, Google Kubernetes Engine), but the same rules apply no matter where your workloads reside.
Hey K8s heroes! We’re hiring Kubernetes engineers across our European markets right now. Find out more and apply here.
Get in Touch.
Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.