Kubernetes is an open-source system for automating deployment of new apps and software, and is becoming increasingly popular due to its utility in going back to previous versions. But while lots of developers are excited to take advantage of the benefits and convenience offered by the platform, not many people are talking about Kubernetes’ security.
If you want to make sure your application is protected from as many potential vulnerabilities as possible, you’ll need to take some extra measures to make sure your work is secure.
Basic Kubernetes Security
Kubernetes offers some high-level tips for securing a cluster using the platform. Assuming you have a Kubernetes cluster, you’ll need the kubectl command-line tool configured to communicate with it. From there, you can control who accesses your Kubernetes API with a handful of basic changes:
- Use Transport Layer Security (TLS). For all API traffic, TLS should be employed. Most installation methods will allow you to create and distribute your necessary certificates to cluster components.
- API authentication. You’ll also need some kind of authentication mechanism for your API servers; these should match typical access patterns when you’re installing a cluster. Depending on the size of your cluster, you might use a simple certificate or something more complex like an existing OIDC or LDAP server.
- API authorization. Each API call should also pass an authorization check. You can use Kubernetes’ Role-Based Access Control (RBAC) component to organize user permissions, matching a user or group to specific resources and forms of access.
You’ll also need to control access to the Kubelet, which can expose HTTPS endpoints, and tightly control both resource usage and privileges on a given cluster. Also, you should be aware that by default, the Linus kernel may automatically load additional kernel modules; you’ll need to add rules to block automatic loading to prevent unwanted kernel modules, or simply uninstall them from the node.
Additional Kubernetes Security
In addition to these basic steps, you’ll want to choose the right operating system running on the host. Make sure you rely on a time-tested OS that’s current on all patches—and test it using tools like OpenSCAP.
You’ll also want to go beyond the basic networking offered by Kubernetes and make use of the container network interface (CNI). There are four types of networking available, which you can read more about here. Your multi-tenant network will allow you to create a private addressable subnet for each namespace within your cluster.
Beyond that, you’ll want to integrate some kind of scanning specifically designed for containerized apps deployed with Kubernetes; static code analysis and fuzz testing may not be enough. It’s important to rely on a product that helps you determine which versions of which open source libraries are being used inside the application; this way, you can proactively identify known vulnerabilities and account for them.
Keep in mind that Kubernetes only relates to an application from the point of deployment, assuming it’s under its management. Accordingly, it shouldn’t be your sole tool for guarding against potential security vulnerabilities; firewalls and anomaly detection systems are practically necessary to provide more comprehensive coverage.
Other Basic Best Practices
There are some other basic steps you can take to improve your security when using Kubernetes, even if they seem obvious:
- Disable access to alpha or beta features. Alpha and beta features are some of the most exciting features to explore, but if you’re not sure how they work or how they might affect your application, it may be best to temporarily disable them. Untested features are often some of the ripest for exploitation.
- Rotate your infrastructure credentials. It may be convenient to use the same infrastructure credentials on an ongoing basis, but if you want to step up your security, you’ll want to rotate those credentials on a semi-regular basis.
- Carefully vet your third-party integrations. Passionate developers have taken to creating their own third-party plugins and integrations to make Kubernetes more functional, easier to use, or otherwise more appealing. Most of these integrations could be valuable, and have been meticulously developed. However, each new integration will add a new potential vulnerability, so make sure to vet your integrations thoroughly.
- Pay attention to new developments. Finally, pay attention to news surrounding the Kubernetes community. If and when new vulnerabilities or potential security issues are discovered, they’re likely going to spark a discussion, hopefully giving you time to react and correct the issues in your own applications.
Kubernetes continues to grow in popularity, and it will likely become even more robust in the near future. However, despite its advantages in deployment, scaling, and management, it shouldn’t be considered comprehensive in terms of application security. It’s on you to follow security best practices to protect your applications and ongoing work.