Skip to content

Latest commit

 

History

History
209 lines (167 loc) · 10.7 KB

README.md

File metadata and controls

209 lines (167 loc) · 10.7 KB

Kubernetes Security Checklist

4c-cloud

Table of Contents


Kubernetes Infrastructure

infra-k8s

  • ✅ Limiting access to the Kubernetes API server except from trusted networks.

    • Limit access to Network API Server (Control plane)
    • Limit access to Network Nodes

    Ports and Protocols - kubernetes official doc

  • ✅ Limiting access to Kubernetes Cloud Provider API. Apply the least privilege in the Authorization IAM.

  • ✅ Limiting access to etcd

    • Apply etcd Encryption
    • Use TLS communication
    • is ETCD access limited to control plane?
  • ✅ Apply host security benchmark: OpenSCAP, OVAL. Validate if your hosts are following the CIS benchmark. Compliance

  • ✅ Updates and patches

    • Update the kubernetes version with the fixed bugs
  • ✅ Certs: SSL/TLS for your Kubernetes Cluster

    • Automated issuance and renewal of certificates to secure Ingress with TLS
    • Secure pod-to pod communication with mTLS using private PKI Issuers
    • Supports certificate use cases for web facing and internal workloads

    cert-manager is a X.509 certificate controller for Kubernetes and OpenShift workloads.

    Manage TLS Certificates in a Cluster - Kubernetes official doc

Kubernetes Security Features

  • ✅ Authorization: RBAC
  • ✅ Authentication: SSO
  • ✅ Secrets management
  • ✅ Pod Security policy
  • ✅ Network policy
  • ✅ Observability: Auditing API server

Kubernetes Authorization - RBAC

Kubernetes Pod Security

Kubernetes Secrets

  • ✅ Encrypt all your secrets
    • Mozilla's SOPS
    • Key Management stores in the Cloud Providers

Kubernetes Network Security

when’s the last time anyone discovered a sophisticated attack from a packet capture (PCAP) in Kubernetes?

network-k8s

Image by Security Observability with eBPF

  • ✅ Network Policy
    • Use nano segmentation
    • Use network policy: manage cluster ingress and egress

Kubernetes Supply Chain Security

  • ✅ Enforce image trust with Image signing
  • ✅ Enabled Kubernetes Admission controllers to verify the image integrity.
  • ✅ SCA, SBOM

container-signing

Kubernetes Thread Matrix

Common Attacks

  • Abuse credentials: RBAC, service accounts system:masters

  • Poisoned Images / Malicious Images in the registry

    • Supply chain mitigation: Secure Ci/CD env, Image assurance, Image signing
  • Privileged Escalation – Breaking out of the Container: Excessive capabiiities such as CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SYS_PTRACE

  • Backdoor container - Persistence: capture the contents of the service account token mounted in the container

    • Doki Malware
    • Used secret management for your application data.
  • Cryptominers

  • Laterally moving within the cluster, Network scanning: Avoid with network policy or network segmentation.

  • Misconfigured Kubelet API: Avoid with Kubernetes hardening tools.

  • Application exploit (RCE, SSRF, XXE, etc.)

  • Reverse Shell: Remote code execution (RCE) that opens a reverse shell connection to a suspicious domain that the attacker is listening.

    The workload wasn’t restricted by the container runtime and has overly permissive Linux capabilities that enables the attacker to mount in the /etc/kubernetes/manifests directory from the host into the container. The attacker then drops a privileged pod manifest in kubelet’s manifest directory. The attacker now has a high-availability, kubelet-managed backdoor into the cluster that supersedes any IAM (identity and access management) or RBAC policies.

  • Fileless attacks in containers

  • SSRF attacks to the Kubernetes API server

  • Denial of Service (DoS) or a Distributed Denial of Service (DDoS): Avoid with misconfigurations k8s tools

    • ✅ Limit the resources (CPU, memory) in the pods
      • Goldilocks - identify a starting point for resource requests and limits.
    • ✅ Limit the resources (CPU, memory) using Quotes by namespace/cluster.
    • ✅ Set limits about traffic in the ingress policy. You can set limits on the number of concurrent connections, the number of requests per second, minute, or hour; the size of request bodies.
  • Fork bomb: Avoid with misconfigurations k8s toolss

Policy as a code

OPA allows users to set policies across infrastructure and applications.

  • Standard policies.
  • Organization-specific policies
  • Environment-specific policies

Some controls examples: • Which registries images can be downloaded from • Which OS capabilities a container can execute with • Which namespaces are allowed to run sensitive workloads • Labels that must be specified for certain resources • Disallowing deprecated or dangerous resource types • Enforcing naming schemes or internal standards

Integrates shift-left Kubernetes Security

Run security validation checks in your CI/CD pipeline. Check the manifest written in in Yaml, Terraform, etc

  • IaC and automation reduce human error by creating predictable results

Kubernetes Reliability Best Practices

  • Simplicity vs Complexity
    • Service delivery vs traffic routing. Manually maintained DNS entries, Service delivery is required because your application is scaling in and out, and changes are happening at a fast rate.
    • Configuration management tools: Puppet, Ansible, Terraform
    • Application configuration: ConfigMaps or Secrets
  • High-availability (HA) architecture / fault tolerance
  • Resource limits and auto-scaling. set limits on what a pod can consume to increase reliability. This avoids the noisy neighbor problem
  • Liveness and readiness probes. configure liveness probes and readiness probes to provide your cluster with the ability to self-heal

Key Monitoring Alerts

  • Kubernetes deployment with no replicas
  • Horizontal Pod Autoscaler (HPA) scaling issues
  • Host disk usage
  • High IO wait times
  • Increased network errors
  • Increase in pods crashed
  • Unhealthy Kubelets
  • nginx config reload failures
  • Nodes that are not ready
  • Large number of pods that are not in a Running state
  • External-DNS errors registering records

Kubernetes Security Tools

Kubernetes Security Guides

Kubernetes CI/CD Artifacts

  • argoCD
  • gitops
  • terraform
  • helm
  • Istio help handling mutual TLS encryption inside the cluster.

Further reading:

Collaborate

If you find any typos, errors, outdated resources; or if you have a different point of view. Please open a pull request or contact me.

Pull requests and stars are always welcome 🙌