How to secure your Kubernetes from future mishap

Where this fits in K8s strategy

Make sure your microservices are safe and secure. Use several active and passive security methods

Why it’s important

Kubernetes clusters can get exploited without careful attention to scanning and securing key exposure areas

Run a more secure Kubernetes cluster with these tactics:

TACTIC #1 Control access by roles

Role-based access control (RBAC) makes sure users only access the areas you want them to. Want an example? Here’s one. An non-developer/non-operations user should not have root control over the cluster.

Should your K8 effort use this tactic? Yes, every single project should set this up. It’s default in Kubernetes v1.6 onward.

What’s the big deal? Cuts the risk of a less trusted user deleting your cluster by 100%

Complete RBAC setup guide

Follow this guide by Bitnami to setup role based access control on your cluster. Includes use cases with code directions. Brilliant!

TACTIC #2 Set pod security policy

A quick refresher of Kubernetes architecture. Pods store the containers that contain your application images. So it’s important to make sure the pod is secure. Otherwise, you risk compromising anything up to the whole cluster.

Here are some policy examples that protect your cluster:

  • ensure pods are not being run as root users
  • restrict/deny capabilities down to what container needs and nothing more
  • check fsGroup permissions to assure ownership of pod’s volumes (storage)

Feature overlap warning You won’t need to worry about this tactic if you run Tactic #3. Pod security policy setting is part of the OPA framework.

Should your K8 effort use this tactic? Yes, if time permits.

What’s the big deal? Makes sure your pods don’t go off reservation

How to create a pod security policy

Follow this guide by The New Stack to get an insight on pod security and how to do it.

How to verify that policies are working

Kubesec is a tool that makes sure your pod security policies are actually working as planned. You can run it via kubectl. CLI. Learn more from the GitHub repo.

TACTIC #3 Run Open Policy Agent (OPA)

Open Policy Agent is a policy tool that can change your cluster’s security protocols using declarative language.

Feature overlap warning Decided to put in the effort and install OPA? You won’t need to worry about Tactic #2. Pod security policy setting is part of the OPA framework.

Should your K8 effort use this tactic? If you have ever changing security policies.

What’s the big deal? Lessens manual intervention required to implement security policies

Official OPA setup guide for Kubernetes

Follow this guide on the official Open Policy Agent website to set it up with Kubernetes.

TACTIC #4 Separate into namespaces

Namespaces are often made for “multi-tenant clusters”. That’s when several distinct workloads are on the same cluster. Separating them leads to better security. The cluster as a whole stays safe if one workload overloads its resources.

Warning Namespaces do not guarantee fool-proof isolation of resources. They are metadata that make recognising internal boundaries and vulnerability issues easier. You still need to configure access rules (like in Tactic #1) properly.

Should your K8 effort use this tactic? If you have many teams or sensitive applications sharing a cluster

What’s the big deal? Stops one part of cluster from affecting others – better isolation

Tutorial: Organising with Namespaces

Follow this guide by Google Cloud (video included) for creating your cluster’s namespaces. It explains the concept in simple terms and has sample code.

TACTIC #5 Manage container security

Containers host the application code, so they are an important part of Kubernetes. But they can also contain high risk because of public containers and version changes. These give bad actors opportunities to exploit your cluster.

So secure your containers!

According to Whitesource Security, you’ll benefit from having the following data handy:

  • How many issues have been found within each container
  • Severity of those issues in terms of low, medium or critical threat
  • Number of issues logged over a certain period (week, month, quarter)

Should your K8 effort use this tactic? Absolutely, must do container security.

What’s the big deal? Less secure containers means more attack opportunities across a larger surface area

Guide with 5 container security tips

Follow this guide by the founder of Sysdig (container security company). He shares 5 tips for securing your containers.

Leave a Comment