Last update: 11 April 2022
In this article I'm going to talk about some security considerations that you need to implement in order to enhance the security of your Kubernetes cluster. The scope of this post is gonna focus on those 3 layers:
Kubernetes uses Etcd to store all the cluster data. To encrypt the data you should start the apiserver
with the flag --encryption-provider-config=/path/to/config/file
This is an example of a config file
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- identity: {}
- aescbc:
keys:
- name: key1
secret: {{ encryption_key | b64encode }}
the field resources
lists the API objects to encrypt, in this example only the secrets are encrypted.
The encryption key can be provided in the config file or by a KMS. To learn more check this link
Enable TLS communication between all the components. You need to provision a PKI for your cluster (Take a look at the post k8s-the-hard-way to learn how to do it with Ansible).
Starting from Kubernetes 1.4, a new API object called certificates.k8s.io
was introduced to manage automatically the generation of certificates for Node components (kublet and kube-proxy).
Check this link to learn more.
These are some plugins that enhance the security of the k8s cluster.
The full list of admission plugins here
I would recommend to start the apiserver
at least with these of plugins:
--enable-admission-plugins=NamespaceLifecycle,\
NodeRestriction,\
LimitRanger,\
ServiceAccount,\
DefaultStorageClass,\
ResourceQuota,\
PodSecurity
You may want to add the flag --allow-privileged=true
to the apiserver otherwise root containers wont' be able to run.
enable RBAC by starting the apiserver with --authorization-mode=RBAC ...
Start the apiserver with --anonymous-auth=false
flag.
for kubelet, the config file should contains the authentication part like this one
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
anonymous:
enabled: false
These are some important tools to use to audit your cluster:
Always scan the images for vulnerabilities. These are some tools that can help you with that:
To build a chain of trust for your images you may want to take a look at these tools:
Use gVisor to ensure a better isolation between the application and the host kernel
To use gVisor in Kubernetes, you'll need to setup a Runtime-Class.
Use a network plugin that supports Network policy like Calico.
Deploy a service mesh like istio to secure the communications between the pods.
Use gatekeeper to enforce policies in your cluster.
These are some useful tools for auditing:
If you think about some useful tool that I forgot to mention please let me know and I'll be glad to add it !
Read more ...