To secure a Kubernetes cluster:
Leverage Kubernetes secrets
and federated secrets
objects to hold
sensitive information, such as passwords, OAuth tokens, and ssh keys.
Do not store sensitive information in a pod definition or in an image.
Verify that container images contain no vulnerabilities to mitigate the EoP threat.
Integrate vulnerability scanning in your CI/CD process.
Create a private registry with verified images that will be used in your environment.
Verify that only authorized images can be run in your environment.
Protect a communication channel to the image registry with TLS.
Regularly update your images and submit them to the image registry.
Limit access to Kubernetes nodes to mitigate the tampering and EoP threats.
Do not provide SSH access to the nodes.
Use kubectl exec
to access a container environment.
Limit scope of user permissions to mitigate the information disclosure, tampering, EoP, and DoS threats.
Use different namespaces to separate resources between users.
Use Kubernetes Authorization Plugins to further control user access with policies to resources within the namespace.
Define resource quota to prevent DoS attacks. You can create a corresponding policy and assign it to the specified Kubernetes namespace to limit CPU and memory consumption, as well as the number of pods within the namespace.
Implement network segmentation to mitigate the EoP, DoS, tampering and information disclosure threats. Use network policies to create network segmentation between pods, services, and containers.
Apply security context to mitigate the EoP, tampering, and information disclosure threats.
Configure the security context for your pods, containers, and volumes that you can define in the deployment yaml.
Use admission controllers to limit access to a host’s IPC namespace for pods that run with escalated privileges.
Enable logging to mitigate the repudiation threat.
Log container’s standard output including errors using a Fluentd agent running on each node.
Use MCP Stacklight.