One month after a major security flaw was discovered in Kubernetes, the Cloud Native Computing Foundation (CNCF) has shared a list of nine best security practices for the popular container orchestration tool Kubernetes.
“As organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure,” wrote Connor Gilbert, a product manager at the container security company StackRox, who drafted the list.
The nine practices are:
- Upgrade to the latest version: Because new security features are added in each quarterly update, the Gilbert recommends that users always be running the latest stable version. It also claims that upgrading becomes more difficult the further behind you are, so it is wise to update at least once per quarter, as they come out.
- Enable Role-Based Access Control (RBAC): RBAC enables you to control who can access the Kubernetes API and what permissions they have. RBAC is enabled by default in 1.6 and later, but users on earlier versions should double-check their settings. Those using RBAC should avoid using cluster-wide permissions. Instead, grant access as needed on a case-by-case basis.
- Use namespaces to establish security boundaries: Creating separate namespaces provides a first level of isolation between component, as well as makes it easier to apply security controls.
- Separate sensitive workloads: In order to reduce the impact of a compromise, Gilbert recommends running sensitive workloads on a dedicated set of machines. By using this method, you will reduce the risk of an application being accessed through a less-secure application that shares a container runtime, Gilbert explained. Workloads can be separated by using node pools and Kubernetes namespaces, taints, tolerations, and other controls.
- Secure cloud metadata access: GKE’s metadata concealment feature changes the way clusters are deployed to avoid sensitive metadata from being stolen. Gilbert recommends using GKE’s feature until a more permanent feature is implemented.
- Create and define cluster network policies: Network Policies let you control network access into and out of containerized application. Only certain networking providers support this resource, so you will need to check with your provider.
- Run a cluster-wide Pod Security Policy: A Pod Security Poly sets defaults for how workloads should run in your cluster. Gilbert recommends users consider defining a policy and enabling the Pod Security Policy admission controller.
- Harden node security: Gilbert also recommends that you improve the security posture on your nodes by ensuring the host is secure and configured correctly, controlling network access to sensitive ports, and minimizing administrative access to Kubernetes nodes.
- Turn on audit logging: You should make sure that audit logs are enabled and that you are monitoring them for anomalies, especially authorization failures. Authorization failures may signal that an attacker is trying to abuse stolen credentials. According Gilbert, managed Kubernetes providers, such as GKE, provide access to this data and may let you set up alerts for authorization failures.
“Follow these recommendations for a more secure Kubernetes cluster. Remember, even after you follow these tips to configure your Kubernetes cluster securely, you will still need to build security into other aspects of your container configurations and their runtime operations. As you improve the security of your tech stack, look for tools that provide a central point of governance for your container deployments and deliver continuous monitoring and protection for your containers and cloud-native applications,” Gilbert.