DEV Community

Cover image for 12 Fundamental Steps for Secure Kubernetes Cluster
JamallMahmoudi
JamallMahmoudi

Posted on

12 Fundamental Steps for Secure Kubernetes Cluster

1.Kubernetes Security principles 

  1. Security policies
  2. Role-Based Access Control (RBAC)
  3. Network policies 
  4. Securing Kubernetes Cluster Components
  5. Enhancing Container Security
  6. Image scanning and vulnerability management
  7. Limiting container privileges 
  8. Using read-only filesystems and non-root users
  9. Implementing Continuous Security Monitoring
  10. Centralize all logs Kubernetes cluster in Graylog server 
  11. velero Restor & backup ............................................................

Kubernetes is a rapidly evolving technology that is both complex and vulnerable, making security settings critical. Your cluster is always visible on the Internet. When considering how to secure cloud-based Kubernetes clusters, it’s important to remember that hackers can easily locate you online. Tools like Shodan (https://www.shodan.io/) make it trivial for attackers to find potential targets.

Recent analyses reveal that etcd services are sometimes exposed on the Internet without authentication. This is a significant concern when setting up clusters, as an attacker who successfully breaches your clustered database could potentially compromise your entire system.

The Kubernetes API service functions as the gateway to each cluster and is generally exposed in every deployment for management purposes. Therefore, securing it is crucial. However, managing numerous open ports is challenging, and it’s not just the etcd service and Kubernetes API that require careful attention. Depending on your cluster’s configuration, other exposed services may also pose security risks if a hacker gains access.

If any container is compromised, the entire cluster could be at risk. Since Kubernetes is used to host multiple application containers, it is vital to ensure that a vulnerability in one application does not jeopardize the entire cluster.

As Kubernetes technology grows in popularity, malicious actors are increasingly targeting its vulnerabilities. These individuals continually seek ways to gain unauthorized access and disrupt sensitive applications and data.

To mitigate these risks, it’s essential to be proactive in securing your Kubernetes clusters. By implementing security best practices from the outset, you can significantly reduce the likelihood of security breaches and build a more resilient infrastructure. As your organization grows, you’ll be better equipped to handle security challenges and maintain compliance with industry standards.
In the following sections, we will cover the techniques and strategies necessary to create a secure Kubernetes environment and protect valuable business assets.

Kubernetes security basics
A basic plan in Kubernetes security principles is essential to effectively protect your Kubernetes clusters. In this section, we’ll cover four key concepts:
1- security policies,
2- role-based access control (RBAC),
3- network policies and Zoning
4- Upgrade Kubernetes to latest version

**Security policies
**First scan all nodes (Master and Worker) with OpenSCAP tool and according to the output checklist, disable the things you don’t need in the operating system. Security Content Automation Protocol (SCAP)SCAP is a standard compliance checking solution for enterprise-wide Linux infrastructure. It is a set of specifications maintained by the National Institute of Standards and Technology (NIST) to maintain system security for enterprise systems.

Security policies in Kubernetes allow you to define and enforce specific security configurations for your containers and pods. They help you manage permissions, privilege levels, and access controls. Key aspects of security contexts and policies include:

  1. Containers: Limit the privileges a container can gain to minimize the potential impact of security vulnerabilities. For example, you can leave out unnecessary Linux features or apply the principle of least privilege. Use light images like Linux Alpine … etc Note: “One of the first decisions you need to make when defining a Dockerfile is Selecting a base image provides the base image of the operating system and additional dependencies, and may expose shell access. Some of the basic images you can choose from in a public registry like Docker Hub is large in size and probably has functionality that you don’t have You must run your program inside it. operating system itself, as well as any existing dependencies with the base image, can Reveal vulnerabilities”
  2. SELinux or AppArmor: Use these Mandatory Access Control (MAC) systems to further limit container access to resources and improve isolation between containers.
    Main link = https://kubernetes.io/docs/tutorials/security/apparmor/

  3. Seccomp Profiles: Limiting the system calls a container can make reduces the attack surface and limits potential exploits.

**Role-Based Access Control (RBAC)
**RBAC is a critical component of Kubernetes security. It allows you to grant the necessary permissions to users, groups, and service accounts while adhering to the principle of least privilege. RBAC uses the following Kubernetes objects:
1.Roles and ClusterRoles: Define a set of permissions (rules) that apply to specific resources within a namespace (Roles) or cluster-wide (ClusterRoles).
2.RoleBindings and ClusterRoleBindings: Associate a Role or ClusterRole with users, groups, or service accounts, granting them the permissions defined in the role
To implement RBAC effectively, create separate roles for different tasks, limit the use of cluster-wide permissions, and review roles regularly to ensure they remain up-to-date and relevant.

Enable role-based access control authorization
This might seem time-consuming — it does require additional work to set up — but it’s impossible to secure large scale Kubernetes clusters that run production workloads without implementing RBAC policies.

The following are some Kubernetes RBAC best practices administrators should follow:

To enforce RBAC as a standard configuration for cluster security, enable RBAC in an API server by passing the –authorization-mode=RBAC parameter.
Use dedicated service accounts per application, and avoid using the default service accounts Kubernetes creates. Dedicated service accounts enable admins to enforce RBAC on a per-application basis and provide better controls for the granular access granted to each application resources.
Reduce optional API server flags to reduce the attack surface area on the API server. Each flag enables a certain aspect of cluster management, which can expose the API server. Minimize using these optional flags:
A-anonymous-auth
B — insecure-bind-address
C-insecure-port.
For an RBAC system to be effective, enforce least privileges. When the cluster administrators follow the principle of least privilege and assign only the permissions required to a user or application, everyone can perform their job. Do not grant any additional privileges, and avoid wildcard verbs [“*”] or blanket access.
Update and continuously adjust the RBAC policies to avoid becoming outdated. Remove any permissions no longer required. This can be tedious, but worth the work to secure production workloads.

Network policies
Network policies in Kubernetes allow you to control the traffic between pods, namespaces, and external networks. By using network segmentation, you can isolate sensitive components, minimize the potential blast radius of a security incident, and prevent unauthorized access.
To implement network policies we have three step basic :

Use a network plugin that supports Kubernetes network policies, such as Calico, Cilium, or Weave.
2.Define ingress and egress rules for your pods and namespaces, specifying which sources and destinations are allowed or denied.
3.Implement network segmentation by organizing your applications into different namespaces, based on their function or sensitivity, and applying network policies accordingly.
Understanding and applying these Kubernetes security fundamentals will help you establish a strong foundation for securing your clusters. In the next section, we’ll dive deeper into securing specific cluster components.

Securing Kubernetes Cluster Components
To effectively protect your Kubernetes clusters, it’s essential to secure each component within the cluster. In this section, we’ll explore the security measures you can implement for the API Server, etcd, and Kubelet.

A- API Server

The API Server is the central management component of a Kubernetes cluster and requires adequate security measures to protect it. Here are two crucial areas to focus on:
1.Authentication and authorization:
•Use strong authentication mechanisms, such as client certificates, OIDC, or LDAP, to verify the identity of users and components communicating with the API Server.
•Implement authorization checks to ensure users and components have the necessary permissions to perform actions on the cluster. This can be achieved using RBAC, which we discussed in the previous section.
2.Admission control:
•Use admission controllers to validate and modify incoming requests to the API Server, enforcing additional security constraints and policies.
•Implement commonly used admission controllers, such as PodSecurityPolicy, ResourceQuota, and NetworkPolicy, to enforce security configurations, resource limits, and network rules.

B- etcd database

etcd is the distributed key-value store used by Kubernetes to store its configuration data. Securing etcd is critical to ensure the integrity and confidentiality of your cluster’s data. Focus on the following security aspects:
1.Encryption at rest:
•Enable encryption at rest for etcd to protect sensitive data from unauthorized access when stored on disk. This can be done using Kubernetes’ built-in support for etcd encryption.
•Regularly rotate encryption keys to reduce the risk associated with key compromise.
2.Access control:
•Restrict access to etcd by allowing only the API Server and other essential components to communicate with it.
•Use strong authentication methods, such as client certificates, to verify the identity of clients accessing etcd.
•Implement role-based access control for etcd to ensure that clients have the necessary permissions to perform actions on the key-value store.

Kubelet

The Kubelet is the agent that runs on each node and communicates with the API Server to ensure containers are running as expected. To secure the Kubelet, consider the following measures:
Securing the node:

1- Keep the underlying operating system and installed software up-to-date with the latest security patches.
2- Minimize the attack surface by disabling unnecessary services and removing unused software.
3-Use security tools, such as SELinux or AppArmor, to restrict access to resources and isolate containers on the node.

Pod-level security:

1- Enable the PodSecurityPolicy admission controller to enforce security configurations at the pod level.
2- Use security contexts and policies, as discussed in the Kubernetes Security Fundamentals section, to define and enforce security configurations for your pods.

Enhancing Container Security
Securing containers within your Kubernetes clusters is a critical aspect of safeguarding your applications and data. In this section, we will discuss image scanning and vulnerability management, limiting container privileges and capabilities, and using read-only filesystems and non-root users.

Note: How do you scan containers in GitLab?
Introduced in GitLab 14.9. To enable Container Scanning in a project, create a merge request from the Security Configuration page: In the project where you want to enable Container Scanning, go to Secure > Security configuration. In the Container Scanning row, select Configure with a merge request.
https://docs.gitlab.com/ee/user/application_security/container_scanning/
Image scanning and vulnerability management
Containers are built from images that may contain outdated or vulnerable software. To enhance container security:
1- Use trusted and minimal base images: Select official images from reputable sources and use minimal base images that contain only the necessary components for your application.
2- Implement image scanning: Regularly scan container images for vulnerabilities using tools like Clair, Anchore, or Snyk. Integrate these tools into your CI/CD pipeline to automate the scanning process.
3- Keep images up-to-date: Regularly update your container images with the latest security patches and re-scan them to ensure they remain secure.

Limiting container privileges
Containers should be granted the least amount of privilege necessary to function correctly. To limit container privileges:

1-Use security contexts and policies: Security contexts and policies allow you to define and enforce specific security configurations for your containers and pods.
2-Drop unnecessary capabilities: Limit the capabilities a container can obtain by dropping unnecessary Linux capabilities using security contexts.
3-Run containers as non-root: Avoid running containers with root privileges by specifying a non-root user in the container’s security context. This reduces the potential impact of container-level security vulnerabilities.
Using read-only filesystems and non-root users
Containers should have the minimum level of access required to function correctly. Implementing read-only filesystems and non-root users can help achieve this:
A- Read-only filesystems: Configure your containers to use a read-only filesystem to prevent unauthorized modifications to the container’s files. This can be done using security contexts in your pod specifications.
B- Non-root users: Run containers as non-root users to limit the privileges a container has within the host system. Specify a non-root user in the container’s security context, and ensure that your containerized applications are designed to work without root privileges.
By enhancing container security, you can significantly reduce the risk of security incidents within your Kubernetes clusters.

Implementing Continuous Security Monitoring
Continuous security monitoring is vital for maintaining the integrity and security of your Kubernetes clusters. In this section, we will discuss monitoring tools, setting up alerts and notifications, and analyzing security events to respond to threats effectively.

Monitoring tools for Kubernetes clusters

To monitor your Kubernetes clusters effectively, utilize tools designed specifically for this purpose. Some popular monitoring tools include:

A- Prometheus: An open-source monitoring and alerting toolkit that integrates well with Kubernetes and provides comprehensive metrics collection and querying capabilities.
B- Grafana: A visualization platform that can be used in conjunction with Prometheus to create informative and actionable dashboards for your Kubernetes clusters.
C- Falco: An open-source runtime security tool that monitors container behavior and generates alerts based on user-defined rules.( https://falco.org/docs/)
Setting up alerts and notifications

Establishing a robust alerting system is essential for timely detection and response to potential security incidents. To set up alerts and notifications:

Define alerting rules: Create alerting rules based on specific conditions or thresholds, such as resource usage, error rates, or security events.
Integrate with notification channels: Configure your monitoring tools to send notifications via channels such as email, Slack, or …etc .
Test your alerting system: Regularly test your alerting system to ensure it’s functioning correctly and that your team receives notifications promptly.
Analyzing security events and responding to threats

Being prepared to analyze security events and respond to threats is crucial for maintaining a secure Kubernetes environment. To accomplish this:

Establish an incident response plan:
Develop a plan outlining the steps your team should take when responding to a security incident. This includes roles and responsibilities, communication channels, and post-incident activities.
Investigate security events: Utilize logs and monitoring data to investigate security events, identify the root cause, and determine the scope of the incident.
Remediate and learn from incidents: Take appropriate steps to remediate security incidents, such as patching vulnerabilities or updating configurations. Conduct post-mortem analyses to identify lessons learned and implement improvements to prevent similar incidents in the future.
Implementing continuous security monitoring will enable you to maintain a secure and robust Kubernetes environment.

Security frameworks
Finally, we want to introduce you to security frameworks that provide common methodologies and terminology for security best practices. Security frameworks are a great way to understand attack techniques and best practices for defending against and mitigating attacks. You should use them to build and validate your security strategy.

Please note that these frameworks may not be specific to Kubernetes, but they provide insights into techniques used by adversaries in attacks, and security researchers should check to see if they are Kubernetes-related.

Here we will introduce two well-known frameworks MITRE and Threat Matrix for Kubernetes.

MITER

MITER is a knowledge base of enemy tactics and techniques based on actual observations of cyber attacks. The MITER ATT&CK® Matrix is useful for the Enterprise because it provides classified tactics and techniques for each step of the cybersecurity kill chain.

Figure below describes the MITER ATT&CK® Matrix for AWS.

https://attack.mitre.org/matrices/enterprise/cloud/?source=post_page-----5b4dbcd9a6f3--------------------------------

Image description

Threat matrix for Kubernetes

The other framework is a threat matrix that is a Kubernetes-specific

application of the generic MITRE attack matrix. It was published by the Microsoft team based on security research and real-world attacks. This is another excellent resource to use to build and validate your security strategy. Figure below provides the stages that are relevant to your Kubernetes cluster.
\
Image description

Finally, to collect Kubernetes cluster logs, you can refer to another of my articles at the link below

https://blog.stackademic.com/centralize-logs-kubernetes-cluster-in-to-graylog-server-with-fluent-bit-log-collector-26c22e1b21f1

Top comments (0)