Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management.
Kubernetes has become tremendously popular and most of corporate organization have adopted this solution.
Nonetheless many companies that are using it remains concerns on security issues as Kubernetes doesn’t offer a lot of vulnerabilities protection.
How do you integrate security into every phase of the Kubernetes container lifecycle?
First and foremost, it is essential to create secured images and scan them in order to look for known vulnerabilities.
1 - Do not add unnecessary components
Make sure to remove debugging tools from production containers.
2 - Use up to date images
Make sure your images are up to date and using the latest versions of their components.
3 - Use an image scanner to identify known vulnerabilities
Your image scanner must be able to identify images’ vulnerabilities. It should also check for vulnerabilities in operating system packages and third-party runtime libraries.
4 - Integrate security in your CI/CD pipeline
The goal here is to automate security and generate alerts when your scanner detects high severity vulnerabilities.
5 - Identify unrepairable vulnerabilities
Add unrepairable vulnerabilities to an authorization list or filter the output of the scanner.
6 – Set up a deep security protection
Make sure you have policy checks and remediation workflow to detect and update these images
First you need visibility into what you are deploying and how you are going to do it.
Then you can identify and correct security policy violations.
At least you should know:
7 – Use « namespaces » to isolate critical workloads
This can helps to contain attacks and mitigate error impact or destructive actions by authorized users.
8 - Use kubernetes networks strategies to control traffic between pods and clusters
Network segmentation strategies are a key security control that can prevent lateral movement between containers if a hacker breaks into it.
9 - Prevent overly permissive access to secrets
Make sure that deployments only show the secrets that they really need, in order to avoid unnecessary exposure.
10 - Evaluate the privileges used by containers
Pod security policies are a way to control security attributes, including container privilege levels.
11 - Evaluate the provenance of the images including the registries
Use images from known registries / those on authorization lists only.
12 - Extend your image scanning for the deployment phase
Apply specific policies during the deployment phase based on the scan results.
13 - Use labels and annotations appropriately
Consider tagging or annotating your deployments with the name, email alias, Slack channel of your application management team.
14 - Enable Kubernetes Role Based Access Control (RBAC)
RBAC provides a method to control permission to access a cluster's Kubernetes API server, both for users and service accounts in the cluster.
The objective of this phase is to gain visibility, to detect and respond to threats.
First, you must monitor container activity which are the most relevant for security monitoring and follow up :
15 – Leverage Kubernetes contextual insights
Use construction and deployment time information to evaluate observed activity versus expected activity.
16 - Extend the vulnerability analysis to ongoing deployments
17 - Use Kubernetes' built-in controls (when available) to enhance security
Configure the security context of pods to limit their capacities
18 - Monitor network traffic to limit unnecessary or insecure communications
Monitor your active network traffic and compare that traffic to what is allowed based on your Kubernetes network policies. Then compare the active traffic with what is allowed.
19 – Start the process of leveraging authorization lists
Observe the application for a certain period of time to identify any processes that are running. Then, you can use this list as an authorization list for the future behavior of the application
20 - Compare and analyze different execution activities in pods within the same deployments
Containerized applications are replicated for reasons of high availability, failure tolerance, or scale.
You need to integrate your Kubernetes security tool with other external systems. Then, you will need to take advantage of the deployment labels or annotations to alert the team responsible for a given application when a potential threat is detected.
21 - Reset suspicious pods in case of infraction
Use the native Kubernetes controls and then restart the instances of the affected applications.
22 - Update kubernetes with the latest version every time it’s possible
Remember that only the three latest kubernetes version are supported.
23 - configure securely the Kubernetes API server
Make sure to disable unauthenticated / anonymous access and use TLS encryption for connections between Kubernetes and the API server.
24 - Secure etcd
Etcd is a key-value store used by Kubernetes for data access
25 – Secure Kubelet
Make sure you disable anonymous access to the kubelet
With the tremendous growth in the use of Kubernetes, ensuring container security becomes vital to protect networks and applications from vulnerabilities and malicious attacks and breaches.
This is the daily routine of our consultants, join us to enhanced Kubernetes security!