Skip to content

Kubernetes Security

Introduction

kubernetes security mindmap

Service Accounts

Kubernetes Secrets

Encrypting the certificate for Kubernetes. SSL certificates with Let’s Encrypt in Kubernetes Ingress via cert-manager

RBAC

Admission Control

Security Best Practices Across Build, Deploy, and Runtime Phases

  • Kubernetes Security 101: Risks and 29 Best Practices 🌟
  • Build Phase:
    1. Use minimal base images
    2. Don’t add unnecessary components
    3. Use up-to-date images only
    4. Use an image scanner to identify known vulnerabilities
    5. Integrate security into your CI/CD pipeline
    6. Label non-fixable vulnerabilities
  • Deploy Phase:
    1. Use namespaces to isolate sensitive workloads
    2. Use Kubernetes network policies to control traffic between pods and clusters
    3. Prevent overly permissive access to secrets
    4. Assess the privileges used by containers
    5. Assess image provenance, including registries
    6. Extend your image scanning to deploy phase
    7. Use labels and annotations appropriately
    8. Enable Kubernetes role-based access control (RBAC)
  • Runtime Phase:
    1. Leverage contextual information in Kubernetes
    2. Extend vulnerability scanning to running deployments
    3. Use Kubernetes built-in controls when available to tighten security
    4. Monitor network traffic to limit unnecessary or insecure communication
    5. Leverage process whitelisting
    6. Compare and analyze different runtime activity in pods of the same deployments
    7. If breached, scale suspicious pods to zero

kubernetes security controls landscape

Kubernetes Authentication and Authorization

Kubernetes Authentication Methods

Kubernetes supports several authentication methods out-of-the-box, such as X.509 client certificates, static HTTP bearer tokens, and OpenID Connect.

X.509 client certificates

Static HTTP Bearer Tokens

OpenID Connect

Implementing a custom Kubernetes authentication method

Pod Security Policies (SCCs - Security Context Constraints in OpenShift)

EKS Security

Tweets

Click to expand!