25 security best practices for Kubernetes

  • facebook
  • linkedin
25 security best practices for Kubernetes

Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management.

Kubernetes has become tremendously popular and most of corporate organization have adopted this solution.

Nonetheless many companies that are using it remains concerns on security issues as Kubernetes doesn’t offer a lot of vulnerabilities protection.


How do you integrate security into every phase of the Kubernetes container lifecycle?

 

What are the best practices during build phase?

 

 First and foremost, it is essential to create secured images and scan them in order to look for known vulnerabilities.

 

1 - Do not add unnecessary components

Make sure to remove debugging tools from production containers.

2 - Use up to date images

Make sure your images are up to date and using the latest versions of their components.

3 - Use an image scanner to identify known vulnerabilities
Your image scanner must be able to identify images’ vulnerabilities. It should also check for vulnerabilities in operating system packages and third-party runtime libraries.

4 - Integrate security in your CI/CD pipeline


The goal here is to automate security and generate alerts when your scanner detects high severity vulnerabilities.

5 - Identify unrepairable vulnerabilities

Add unrepairable vulnerabilities to an authorization list or filter the output of the scanner.

6 – Set up a deep security protection

Make sure you have policy checks and remediation workflow to detect and update these images

 

 

What are the best practices during deployment phase?

 

First you need visibility into what you are deploying and how you are going to do it.

Then you can identify and correct security policy violations.

At least you should know:

  • What is deployed
  • Where will it be deployed
  • How it is deployed
  • The conformity of what is deployed

 

 

7 – Use « namespaces » to isolate critical workloads

This can helps to contain attacks and mitigate error impact or destructive actions by authorized users.

8 - Use kubernetes networks strategies to control traffic between pods and clusters

Network segmentation strategies are a key security control that can prevent lateral movement between containers if a hacker breaks into it.

9 - Prevent overly permissive access to secrets

Make sure that deployments only show the secrets that they really need, in order to avoid unnecessary exposure.

10 - Evaluate the privileges used by containers

Pod security policies are a way to control security attributes, including container privilege levels.

11 - Evaluate the provenance of the images including the registries

Use images from known registries / those on authorization lists only.

12 - Extend your image scanning for the deployment phase

Apply specific policies during the deployment phase based on the scan results.

13 - Use labels and annotations appropriately

Consider tagging or annotating your deployments with the name, email alias, Slack channel of your application management team.

14 - Enable Kubernetes Role Based Access Control (RBAC)
RBAC provides a method to control permission to access a cluster's Kubernetes API server, both for users and service accounts in the cluster.



What are the best practices during execution phase?

 

The objective of this phase is to gain visibility, to detect and respond to threats.
First, you must monitor container activity which are the most relevant for security monitoring and follow up :

  • Processes activities
  • Network communication between containerized services
AdobeStock_97655599The execution phase exposes containerized applications to several security challenges.

 

15 – Leverage Kubernetes contextual insights

Use construction and deployment time information to evaluate observed activity versus expected activity.

16 - Extend the vulnerability analysis to ongoing deployments

17 - Use Kubernetes' built-in controls (when available) to enhance security

Configure the security context of pods to limit their capacities

18 - Monitor network traffic to limit unnecessary or insecure communications

Monitor your active network traffic and compare that traffic to what is allowed based on your Kubernetes network policies. Then compare the active traffic with what is allowed.

19 – Start the process of leveraging authorization lists

Observe the application for a certain period of time to identify any processes that are running. Then, you can use this list as an authorization list for the future behavior of the application

20 - Compare and analyze different execution activities in pods within the same deployments

Containerized applications are replicated for reasons of high availability, failure tolerance, or scale.

You need to integrate your Kubernetes security tool with other external systems. Then, you will need to take advantage of the deployment labels or annotations to alert the team responsible for a given application when a potential threat is detected.

21 - Reset suspicious pods in case of infraction


Use the native Kubernetes controls and then restart the instances of the affected applications.

 

What are the best practices to secure your infrastructure? 

 

22 - Update kubernetes with the latest version every time it’s possible

Remember that only the three latest kubernetes version are supported.

23 - configure securely the Kubernetes API server

Make sure to disable unauthenticated / anonymous access and use TLS encryption for connections between Kubernetes and the API server.

24 - Secure etcd

Etcd is a key-value store used by Kubernetes for data access

25 – Secure Kubelet

Make sure you disable anonymous access to the kubelet

 

I discover the current offers

 

With the tremendous growth in the use of Kubernetes, ensuring container security becomes vital to protect networks and applications from vulnerabilities and malicious attacks and breaches.

This is the daily routine of our consultants, join us to enhanced Kubernetes security!