Secure Kubernetes

Secure Kubernetes

To secure a Kubernetes cluster:

  • Leverage Kubernetes secrets and federated secrets objects to hold sensitive information, such as passwords, OAuth tokens, and ssh keys.

  • Do not store sensitive information in a pod definition or in an image.

  • Verify that container images contain no vulnerabilities to mitigate the EoP threat.

    • Integrate vulnerability scanning in your CI/CD process.

    • Create a private registry with verified images that will be used in your environment.

    • Verify that only authorized images can be run in your environment.

    • Protect a communication channel to the image registry with TLS.

    • Regularly update your images and submit them to the image registry.

  • Limit access to Kubernetes nodes to mitigate the tampering and EoP threats.

    • Do not provide SSH access to the nodes.

    • Use kubectl exec to access a container environment.

  • Limit scope of user permissions to mitigate the information disclosure, tampering, EoP, and DoS threats.

    • Use different namespaces to separate resources between users.

    • Use Kubernetes Authorization Plugins to further control user access with policies to resources within the namespace.

  • Define resource quota to prevent DoS attacks. You can create a corresponding policy and assign it to the specified Kubernetes namespace to limit CPU and memory consumption, as well as the number of pods within the namespace.

  • Implement network segmentation to mitigate the EoP, DoS, tampering and information disclosure threats. Use network policies to create network segmentation between pods, services, and containers.

  • Apply security context to mitigate the EoP, tampering, and information disclosure threats.

    • Configure the security context for your pods, containers, and volumes that you can define in the deployment yaml.

    • Use admission controllers to limit access to a host’s IPC namespace for pods that run with escalated privileges.

  • Enable logging to mitigate the repudiation threat.

    • Log container’s standard output including errors using a Fluentd agent running on each node.

    • Use MCP Stacklight.