Secure Kubernetes¶

To secure a Kubernetes cluster:

• Leverage Kubernetes secrets and federated secrets objects to hold sensitive information, such as passwords, OAuth tokens, and ssh keys.
• Do not store sensitive information in a pod definition or in an image.
• Verify that container images contain no vulnerabilities to mitigate the EoP threat.
  • Integrate vulnerability scanning in your CI/CD process.
  • Create a private registry with verified images that will be used in your environment.
  • Verify that only authorized images can be run in your environment.
  • Protect a communication channel to the image registry with TLS.
  • Regularly update your images and submit them to the image registry.
• Limit access to Kubernetes nodes to mitigate the tampering and EoP threats.
  • Do not provide SSH access to the nodes.
  • Use kubectl exec to access a container environment.
• Limit scope of user permissions to mitigate the information disclosure, tampering, EoP, and DoS threats.
  • Use different namespaces to separate resources between users.
  • Use Kubernetes Authorization Plugins to further control user access with policies to resources within the namespace.
• Define resource quota to prevent DoS attacks. You can create a corresponding policy and assign it to the specified Kubernetes namespace to limit CPU and memory consumption, as well as the number of pods within the namespace.
• Implement network segmentation to mitigate the EoP, DoS, tampering and information disclosure threats. Use network policies to create network segmentation between pods, services, and containers.
• Apply security context to mitigate the EoP, tampering, and information disclosure threats.
  • Configure the security context for your pods, containers, and volumes that you can define in the deployment yaml.
  • Use admission controllers to limit access to a host’s IPC namespace for pods that run with escalated privileges.
• Enable logging to mitigate the repudiation threat.
  • Log container’s standard output including errors using a Fluentd agent running on each node.
  • Use MCP Stacklight.