KubeSecOps: Kubernetes Security Practices You Should Follow
By Derek Weeks
3 minute read time
Where do you use containers? Organizations started using containers in development and test environments. Over the past couple of years, confidence has grown and we are seeing significant container growth in production environments. Organizations are adopting containers across the software development lifecycle.
Of course, this begs the question - how secure are your containers?
Kubernetes is one solution to deploying, managing, and scaling your containers. Karthik Gaekwad (@iteration1), a developer and cloud native evangelist at Oracle , lays out tips and tools to ensure Kubernetes containers are as secure as possible in his All Day DevOps presentation, KubeSecOps.
While organizations are increasingly adopting containers, core issues still remain. According to a Cloud Native Computing Foundation (CNCF) survey, complexity, culture, training, and security are all challenges for organizations around containers. An Oracle survey shows that managing, maintaining, and updating the Kubernetes Control Panel and Data Plane, figuring out container network and storage, managing teams, and security continue to challenge organizations.
As examples, Karthik mentions a vulnerability stemming from unsecured K8s dashboards, resulting in the ability of attackers to use the cloud environments to mine cryptocurrency. Aviva, Weight Watchers, and Tesla were among those impacted. He highlights another one, affecting Shopify, where attackers gained access to any container in the infrastructure.
Many complain that Kubernetes is too complicated. Karthik agrees, and realizes it can affect how users adopt sound practices. So, he lays out some tips to make administering Kubernetes easier and make the system more secure. He covers attack surfaces, security related features in K8s, and open source tools to help.
Reduce Kubernetes Attack Surfaces
Look at the host, the containers, and the Kubernetes cluster to reduce the attack surface.
For the machines you are running Kubernetes on, the goal is to minimize privileges to applications running on the host. For container images, know your base image when building containers. The smaller the better, don’t rely on the :latest tag, and check for vulnerabilities periodically. For your running containers, don’t run as root and limit host mounts. Finally, for your Kubernetes cluster, TLS all things and review audit logs, network policies, pod security policies, and secrets.
The K8s Platform Enhances Security
- Authentication and authorization. Pick a strategy that fits your use case. Whatever you do, do not YOLO! Don’t use ABAC, use RABAC.
- Audit logging. Watch them!
- Network policies. The default is that all pods talk to all pods. Consider changing it.
- Pod security. Admins can control specific actions.
- Kubernetes secrets. Use secrets to store sensitive data instead of config maps.
Open Source Tools for Kubernetes
Karthik also mentions several open source tools to help you. First, he recommends keeping tabs on the CNCF security landscape (CNCF manages the Kubernetes project). He also covers some other tools:
- TUF - The Update Framework is used for secure software updates and is based on ideas surrounding trust and integrity
- Notary - Based on TUF, it is a solution to secure software updates and distribution
- Clair - for the static analysis of vulnerabilities in containers
- Kube-bench - checks whether a Kubernetes cluster is deployed according to security best practices
- Kubesec - helps quantify risks for Kubernetes resources
- Kubeaudit - audits applications in your K8s cluster
For additional resources, he also recommends the post 11 Ways Not to Get Hacked on Kubernetes and a presentation on security by Michael Hausenblas.
Do you want to hear more of his recommendations and tips? Karthik’s full presentation is here.
Interested in DevOps? Register for the next All DayDevOps, November 6, 2019. It will be a day to discuss security, CI/CD, cloud native infrastructure, cultural transformation, site reliability engineering, and yes, Kubernetes.
Written by Derek Weeks
Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.
Explore All Posts by Derek Weeks