A summary of actions to secure Kubernetes

The crypto mine hackers can harvest Kubernetes clusters to earn crypto mining dollars. attacks on Tesla and the 2019 Discovery of Docker engine worm were a few early examples of such attacks?

Here is a summary of? actions that a Kubernetes cluster owner can take to secure it

Basics?

• Ensure proper authentication and authorisation of K8s cluster and don’t allow enabling Anonymous logins or disabling RBAC etc
• Secure communication between all components of K8s?
• Enabling etcd data encryption
• Review Admission controllers and disable unnecessary admission controllers. Only mutating admission controllers from only well-respected sources be used.
• Any Dashboards which don’t require authentication and proper authorisation should not be used.

Build and Deploy processes security

• Review security attributes of all Kubernetes workload and configure using principle of least privileges required to get the job done
• Audit PodSecuirtyPolicy. Open-source tools such as kube-psp-advisor should be used to establish a good Pod security policy.
• Review and incorporate steps for container image hardening. CIS Docker benchmarks are an excellent way of starting container image hardening. CIS has put together guidelines for DockerFile hardening.?
• Incorporate Image scanning tools in the Build process/CICD. GitHub - anchore/anchore-engine: A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification? is an excellent open-source image vulnerability scanner.
• Configure Kubernetes security context of all workloads with the principle of least privileges. Resource requests and service accounts for workloads should also use the same principle of least privilege. Access to system resources, host paths, and unneeded OS capabilities should be disabled.

Runtime and operations security

• Ensure Kubernetes Audit policy is enabled to log all events and activities
• Establish good network policies which use the principle of least privilege to protect ports and communication
• Image scanning admission controllers such as https://github.com/sysdiglabs/image-scanning-admission-controller? can prevent the launch of vulnerable workload?
• For node, security use Linux kernel security modules such as AppArmor
• Use an open policy agent to ensure images from trusted sources can be launched
• Good monitoring and alerting using Grafan/Prometheus. Understand bots and agents try not to be very obvious CPU and other resource hoggers.?
• Tools like Falco to detect and notify suspicious activities
• Use tools like Hasicorp Vault or Public cloud secrets management services e.g., AWS Secrets, to manage application secrets

Ajmal Mahmood

[email protected]