Cyber crime is at an all-time high – and everyone is at risk, including Kubernetes developers. In fact, threat intelligence company Cyble Inc. recently uncovered more than 900,000 exposed Kuberenetes clusters that could be vulnerable to an attack, and a 2022 Cloud Native Threat report, found that the number of malicious container images targeting Kubernetes environments was up by 10 percentage points in 2021, reaching 19%.
Why are Kubernetes clusters so vulnerable? For starters, they often consist of numerous third-party tools, in-house and open-source code, and other components that need to be updated frequently. What’s more, DevOps teams often over-permission access to clusters during setup and forget to delete permissions later. As a result, vulnerabilities exist, opening the door for bad actors to wreak havoc.
To combat risk, developers must consider the “4 C’s” of Kubernetes security: Cloud native security, Cluster hardening, Container security and Code security. In our recently released Gorilla Guide to Securing Cloud Native Applications on Kubernetes, Foundation Edition, author Dan Sullivan explores each of these considerations in depth. Here’s a summary of his recommendations:
- Understand that cloud security is a joint effort: While cloud providers must secure their infrastructure, cloud users must control access to their cloud resources and ensure proper configuration. Cloud users are also responsible for finding and patching vulnerabilities. If you leverage a cloud vendor like AWS, Google or Azure to host your Kubernetes environment, you benefit from built-in infrastructure security, network protection, and usually encryption at rest and in transit for stored data – but you still need to secure your resources by taking the following steps:
- Use identity and access control to govern who can perform specific operations.
- Configure private clouds and VPNs to control network traffic.
- Monitor and log system operations, leverage alerting for issue remediation.
- Implement software engineering best practices.
- Harden your clusters. Cluster hardening is the process of securing your Kubernetes clusters, API access, and application. All API traffic within the cluster should be TLS-encrypted. Fortunately, Kubernetes offers an API for managing TLS certificates. Additionally, every component that depends on API activity must be authenticated, including proxies, volume plugins, and the scheduler. Kubernetes includes service account automation controllers to help meet this requirement, as well as a Role-Based Access Control (RBAC) component for managing roles by defined groups. To use RBAC properly it’s important to understand the scope of granted permissions. Be sure to limit access to the kubelet – the node agent that runs on each node and registers it with the API server.
Another consideration related to cluster hardening is the security of the applications running inside the cluster. Be sure to limit control privileges at the application level and monitor resource usage, ensuring least privilege access for both applications and containers. Finally, you should limit the loading of unwanted and unneeded kernel modules – which can increase the platform’s attack surface – as well as network access, pods’ access to nodes and access to the cloud metadata API.
- Secure your containers: Use tools such as Anchore Engine and Aqua Trivy to scan your containers for vulnerabilities, as even a simple container spec can include a wide array of applications, which may have been built using modules containing security vulnerabilities. Additionally, digitally sign your containers so users can verify the image creator, in case your container registry is compromised, and a malicious container is loaded into it – a digital signature will prevent it from loading.
It’s possible for malicious code to exploit vulnerabilities in containers and interfere with other containers. Using a sandboxed runtime such as gVisor prevents applications from calling system-level services directly. Indirect execution enables gVisor to inspect system-level calls and prevent bad code from leaving the container. You should use network policies to isolate ingress and egress traffic to containers, and to control how pods communicate with other resources.
- Secure your code. While you can’t manually review every line of code in a complex application stack, scanning third-party libraries for vulnerabilities and security errors is a must. Use automated tools such as SonarQube. Additionally, be sure to encrypt network traffic through mutual TLS authentication (mTLS) to prevent access to confidential data, and limit port ranges for communication to minimize the attack surface.
Download your copy of Gorilla Guide to Securing Cloud Native Applications on Kubernetes, Foundation Edition for a deeper dive into the 4 C’s of Kubernetes security, along with best practices for evaluating security controls against benchmarks and information about how to ensure Kubernetes application security.
Expand Your Kubernetes Knowledge
If you are seeking to up your Kubernetes knowledge, all our Gorilla Guides will help you get there. Check out our KubeCampus.io Resources section and find helpful guides under “eBooks.”
Register for KubeCampus and you will learn about security and many more topics from Kubernetes thought leaders. Complete hands-on Kubernetes labs and learn real-world cloud native skills!