Secure Kubernetes
To secure a Kubernetes cluster:
- Leverage Kubernetes
secrets
and federated secrets
objects to hold
sensitive information, such as passwords, OAuth tokens, and ssh keys.
- Do not store sensitive information in a pod definition or in an image.
- Verify that container images contain no vulnerabilities to mitigate the
EoP threat.
- Integrate vulnerability scanning in your CI/CD process.
- Create a private registry with verified images that will be used in your
environment.
- Verify that only authorized images can be run in your environment.
- Protect a communication channel to the image registry with TLS.
- Regularly update your images and submit them to the image registry.
- Limit access to Kubernetes nodes to mitigate the tampering and EoP threats.
- Do not provide SSH access to the nodes.
- Use
kubectl exec
to access a container environment.
- Limit scope of user permissions to mitigate the information disclosure,
tampering, EoP, and DoS threats.
- Use different namespaces to separate resources between users.
- Use Kubernetes Authorization Plugins
to further control user access with policies to resources within
the namespace.
- Define resource quota to prevent DoS attacks.
You can create a corresponding policy and assign it to the
specified Kubernetes namespace to limit CPU and memory consumption,
as well as the number of pods within the namespace.
- Implement network segmentation to mitigate the EoP, DoS, tampering and
information disclosure threats.
Use network policies to create network segmentation between pods, services,
and containers.
- Apply security context to mitigate the EoP, tampering,
and information disclosure threats.
- Configure the security context for your pods, containers, and volumes that
you can define in the deployment yaml.
- Use admission controllers to limit access to a host’s IPC namespace for
pods that run with escalated privileges.
- Enable logging to mitigate the repudiation threat.
- Log container’s standard output including errors using a
Fluentd agent running on each node.
- Use MCP Stacklight.