Kubernetes

About

What is Kubernetes Security?

Kubernetes Security is defined as the actions, processes and principles that should be followed to ensure security in your Kubernetes deployments. This includes – but is not limited to – securing containers, configuring workloads correctly, Kubernetes network security, and securing your infrastructure. [1]

Why is Kubernetes security important?

Kubernetes security is important due to the variety of threats facing clusters and pods, including:

• Malicious actors

• Malware running inside containers

• Broken container images

• Compromised or rogue users

Without proper controls, a malicious actor who breaches an application could attempt to take control of the host or the entire cluster. [1]

Best practices

Extracted from [1].

Check out also about:

• Key Kubernetes security issues

• Kubernetes security challenges and solutions

• Securing Kubernetes hosts

• Kubernetes Security Observability

By phase

Development/Design phase:

• Some Kubernetes environments may be more secure than others. Using a multi-cluster architecture or multiple namespaces with proper RBAC controls can help isolate workloads.

Build phase:

• Choose a minimal image from a vetted repository.

• Use container scanning tools to uncover any vulnerabilities or misconfigurations in containers.

Deployment Phase:

• Images should be scanned and validated prior to deployment.

  • An admission controller can be used to automate this validation so only vetted container images are deployed.

Runtime Phase:

• The Kubernetes API generates audit logs that should be monitored using a runtime security tool, such as Sysdig.

• Images and policy files should also be continuously scanned to prevent malware or misconfigurations in a runtime environment.

Resources

• aad-pod-identity: Assign Azure AD idenitites to pods in Kubernetes, in order to access Azure resources.

• audit2rbac: Autogenerate RBAC policies based on Kubernetes audit logs.

• Deepfence ThreatMapper: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.

• cnspec: Scan Kubernetes clusters, containers, and manifest files for vulnerabilities and misconfigurations.

• falco: Container Native Runtime Security.

• kdigger: Kubernetes focused container assessment and context discovery tool for penetration testing.

• kiam: Integrate AWS IAM with Kubernetes.

• kube-bench: Check whether Kubernetes is deployed according to security best practices.

• kube-hunter: Hunt for security weaknesses in Kubernetes clusters.

• kube-psp-advisor: Help building an adaptive and fine-grained pod security policy.

• kube-scan: k8s cluster risk assessment tool.

• Kubei: Vulnerabilities scanner for Kubernetes clusters.

• kube2iam: Provide different AWS IAM roles for pods running on Kubernetes.

• kubeaudit: Audit your Kubernetes clusters against common security controls.

• kubectl-bindrole: Find Kubernetes roles bound to a specified ServiceAccount, Group or User.

• kubectl-dig: Deep Kubernetes visibility from the kubectl.

• kubectl-kubesec: Scan Kubernetes pods, deployments, daemonsets and statefulsets with kubesec.io.

• kubectl-who-can: Show who has permissions to <verb> <resource> in Kubernetes.

• OWASP Top Ten for Kubernetes: The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity.

• terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

• kyverno: Kubernetes Native Policy Management.

• rakkess: Review access matrix for Kubernetes server resources.

• rback: RBAC in Kubernetes visualizer.

• steampipe: Use SQL to query your cloud services (AWS, Azure, GCP and more) running Kubernetes.

• steampipe-kubernetes: Use SQL to query your Kubernetes resources.

• steampipe-kubernetes-compliance: Kubernetes compliance scanning tool for CIS, NSA & CISA Cybersecurity technical report for Kubernetes hardening.

• trivy: A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI.

• trivy-operator: Kubernetes-native security (Vulnerabilities,IaC MisConfig,Exposed Secrets,RBAC Assessment,Compliance and more) toolkit for kubernetes.

• kubernetes-rbac-audit: Tool for auditing RBACs in Kubernetes.

• kubernetes-external-secrets: Tool to get External Secrets from Hashicorp Vault and AWS SSM.

• vault-secrets-operator: An operator to create Kubernetes secrets from Vault for a secure GitOps based workflow.

Others

• Kubernetes Security and Disclosure Information

• Kubernetes Security

• GKE Security Bulletins

• CKS Certified Kubernetes Security Specialist resources repo

• Kubernetes Security Checklist and Requirements

• OWASP Kubernetes Security Cheatsheet

• Securing Kubernetes Clusters

• Kubernetes Security : 6 Best Practices for 4C Security Model

Sources

[1]: Kubernetes Security: Common Issues and Best Practices | Snyk

[2]: ksoclabs/awesome-kubernetes-security: A curated list of awesome Kubernetes security resources (github.com)