Skip to content

Kubernetes Security

Introduction

kubernetes security mindmap

NSA National Security Agent Kubernetes Hardening Guidance

CIS Benchmarks and CIS Operator

  • ibm.com: CIS Benchmarks Developed by a global community of cybersecurity professionals, CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.
  • aymen-abdelwahed.medium.com: K8s Operators β€” CIS Kubernetes Benchmarks How can I run my workloads securely on top of Kubernetes? In this post, we’ll be taking a look at the CIS-Benchmark, breaking the concept down to simple terms, and in the end, deploying the CIS-Operator using Helm charts and custom values
    • rancher/cis-operator This is an operator that can run on a given Kubernetes cluster and provide ability to run security scans as per the CIS benchmarks, on the cluster.

Service Accounts

Kubernetes Secrets

Encrypting the certificate for Kubernetes. SSL certificates with Let’s Encrypt in Kubernetes Ingress via cert-manager

RBAC and Access Control

Kubernetes and LDAP

Admission Control

Kubernetes Security Best Practices

  • Kubernetes Security 101: Risks and 29 Best Practices 🌟 Security Best Practices Across Build, Deploy, and Runtime Phases.
  • Build Phase:
    1. Use minimal base images
    2. Don’t add unnecessary components
    3. Use up-to-date images only
    4. Use an image scanner to identify known vulnerabilities
    5. Integrate security into your CI/CD pipeline
    6. Label non-fixable vulnerabilities
  • Deploy Phase:
    1. Use namespaces to isolate sensitive workloads
    2. Use Kubernetes network policies to control traffic between pods and clusters
    3. Prevent overly permissive access to secrets
    4. Assess the privileges used by containers
    5. Assess image provenance, including registries
    6. Extend your image scanning to deploy phase
    7. Use labels and annotations appropriately
    8. Enable Kubernetes role-based access control (RBAC)
  • Runtime Phase:
    1. Leverage contextual information in Kubernetes
    2. Extend vulnerability scanning to running deployments
    3. Use Kubernetes built-in controls when available to tighten security
    4. Monitor network traffic to limit unnecessary or insecure communication
    5. Leverage process whitelisting
    6. Compare and analyze different runtime activity in pods of the same deployments
    7. If breached, scale suspicious pods to zero
  • thenewstack.io: 6 Kubernetes Security Best Practices 🌟
  • kodekloud.com: Kubernetes Security Best Practices
  • armosec.io: Kubernetes Security Best Practices: Definitive Guide
  • semaphoreci.com: Secure Your Kubernetes Deployments In this tutorial, we present three tools to validate and secure your Kubernetes deployments:
    • Kubeval
    • Kubeconform
    • Kubescore

kubernetes security controls landscape

Kubernetes Authentication and Authorization

Kubernetes Authentication Methods

Kubernetes supports several authentication methods out-of-the-box, such as X.509 client certificates, static HTTP bearer tokens, and OpenID Connect.

X.509 client certificates

Static HTTP Bearer Tokens

OpenID Connect

Implementing a custom Kubernetes authentication method

Pod Security Policies (SCCs - Security Context Constraints in OpenShift)

Security Profiles Operator

EKS Security

CVE

Videos

Click to expand!

Tweets

Click to expand!
Back to top