Kubernetes Security
Operating Kubernetes Clusters and Applications Safely
Hello and welcome to Kubernetes Security, the resource center for the O’Reilly book on this topic by Liz Rice and Michael Hausenblas.
In the book we explore security concepts including defense in depth, least privilege, and limiting the attack surface. We discuss and show how to secure clusters, and you’ll also learn how Kubernetes uses authentication and authorization. The book will teache you how to secure container images against known vulnerabilities and abuse by third parties, enforce policies on the container runtime level as well as the networking level, and give you to rundown on how to handle sensitive information such as credentials.
Table of contents
- Securing the cluster
- Authentication and authorization
- Securing your container images
- Running containers securely
- Secrets management
- Advanced topics
- References
Securing the cluster
Relevant pages in the official Kubernetes documentation:
- Securing a Cluster
- Encrypting Secret Data at Rest
- Installation—Recommended setup
- Auditing
- Certificate Rotation
Further reading:
- CVE-2018-1002105—Kubernetes privilege escalation and access to sensitive information
- etcd’s transport security model
- Securing Kubernetes components: kubelet, etcd and Docker registry
- K8s security best practices
- Kubernetes Security - Best Practice Guide
- Lessons from the Cryptojacking Attack at Tesla
- Hacking and Hardening Kubernetes Clusters by Example
- What Does “Production Ready” Really Mean for a Kubernetes Cluster
- A Hacker’s Guide to Kubernetes and the Cloud
- Kubernetes Container Clustering, Catastrophe
- Hardening Kubernetes from Scratch
- Analysis of a Kubernetes hack — Backdooring through kubelet
- 11 Ways (Not) to get Hacked
- Testing access to the Kubelet API
Tooling:
- Center for Internet Security (CIS) Benchmark for Kubernetes
- Center for Internet Security (CIS) Benchmark for Docker
- aquasecurity/kube-bench
- aquasecurity/kube-hunter
- k8guard.github.io
- bgeesaman/kubeatf
- docker/docker-bench-security
Authentication and authorization
Introductions and overview resources for authn & authz in Kubernetes:
- Kubernetes deep dive: API Server – part 1 by Stefan Schimanski and Michael Hausenblas
- Kubernetes Auth and Access Control by Eric Chiang
- Webhook Mode via Kubernetes documentation
- Certifik8s: All You Need to Know About Certificates in Kubernetes by Alexander Brand,
- RFC 7519 JSON Web Token (JWT)
- RFC 7617 The ‘Basic’ HTTP Authentication Scheme
- X.509 certificates
- OpenID Connect
Tooling:
- jwt.io
- kubeadm
- kubectl-who-can - a kubectl plugin for seeing which identities have permission to perform a given action on a given set of resources
Authentication
Relevant pages in the official Kubernetes documentation:
Further reading:
- Protect Kubernetes External Endpoints with OAuth2 Proxy by Alen Komljen
- Single Sign-On for Internal Apps in Kubernetes using Google Oauth / SSO by William Broach
- Single Sign-On for Kubernetes: An Introduction by Joel Speed
- Let’s Encrypt, OAuth 2, and Kubernetes Ingress by Ian Chiles
- Comparing Kubernetes Authentication Methods by Etienne Dilocker
- K8s auth proxy example
- K8s authentication with Conjur
Tooling:
- Keycloak
- coreos/dex
- heptio/authenticator
- hashicorp/vault-plugin-auth-kubernetes
- appscode/guard
- cyberark/conjur
Authorization
Relevant pages in the official Kubernetes documentation:
- Authorization
- Using RBAC Authorization
- Controlling Access to the Kubernetes API
- Configure Service Accounts for Pods
Further reading:
- Effective RBAC by Jordan Liggitt
- Configure RBAC In Your Kubernetes Cluster via Bitnami
- Using RBAC, Generally Available in Kubernetes v1.8 by Eric Chiang
Tooling:
Securing your container images
Further reading:
- Establishing Image Provenance and Security in Kubernetes
- Image Management & Mutability in Docker and Kubernetes
- Container security considerations in a Kubernetes deployment
- Using Docker tags to mess with people’s minds
- If you run SSHD in your Docker containers, you’re doing it wrong!
- Creating Effective Images
- How to containerize your Go code
- Building Container Images Securely on Kubernetes
- The OpenShift Build Process
- Introducing Grafeas: An open-source API to audit and govern your software supply chain
- Secure Kubernetes Application Delivery
- Set up Security Scanning in DTR
- Pain spotting: Russia’s Aeroflot Docker server lands internal source code, config files on public internet
Tooling:
- National Vulnerability Database
- OpenSCAP tools
- coreos/clair
- aquasecurity/microscanner
- Docker Registry Server
- GitLab Container Registry
- Red Hat Quay container registry
- Amazon Elastic Container Registry
- theupdateframework/notary
- weaveworks/flux
- IBM/portieris
- Grafeas
- in-toto
Running containers securely
Relevant pages in the official Kubernetes documentation:
- Configure Quality of Service for Pods
- Configure a Security Context for a Pod or Container
- Pod Security Policies
- Network policies
Further reading:
- Just say no to root (in containers)
- Non-privileged containers FTW!
- Running with Scissors
- Containers are a lie
- Exploring Container Mechanisms Through the Story of a Syscall: slides, video
- Improving your Kubernetes Workload Security
- Container Isolation at Scale (Introducing gVisor): slides, video
- Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes
- Exploring container security: Isolation at different layers of the Kubernetes stack
- Security Best Practices for Kubernetes Deployment
- NIST Special Publication 800-190: Application Container Security Guide
- Kubernetes Security Best Practices
- Securing Kubernetes Cluster Networking
- Tutorials and Recipes for Kubernetes Network Policies feature
- Kubernetes Security Context and Kubernetes Network Policy
- Continuous Kubernetes Security
- Cilium: Making BPF Easy on Kubernetes for Improved Security, Performance
Tooling:
Secrets management
Relevant pages in the official Kubernetes documentation:
Further reading:
- Kubernetes secrets examples
- Dynamic secrets on Kubernetes pods using Hashicorp Vault
- Managing Secrets on OpenShift – Vault Integration
- Using AWS KMS for application secrets in Kubernetes
- Injecting secrets with Aqua
- Your secret’s safe with me
- How you could be leaking your secrets onto GitHub
- The problems with forcing regular password expiry
- Managing Secrets in OpenShift with CyberArk Conjur and the CyberArk Vault
- Can Kubernetes Keep a Secret? GitOps secret management on Kubernetes Platform
Tooling:
Advanced topics
- How Kubernetes certificate authorities work
- Kubernetes Application Operator Basics
- Are your servers PETS or CATTLE?
- Principles of Chaos Engineering
- gVisor in depth
- Nabla containers: a new approach to container isolation
- A step by step guide for getting started with Grafeas and Kubernetes
- Network Nano-Segmentation for Container Security in Aqua 2.0
- Using Network Policy in concert with Istio
- Multi-tenancy in Kubernetes
- SSRF in Exchange leads to ROOT access in all instances
- PIDs per Pod limit
- Lessons from the Cryptojacking Attack at Tesla
- Cryptocurrency Miners Abusing Containers: Anatomy of an (Attempted) Attack
Tooling:
- Prometheus
- Istio
- Linkerd
- Open Vulnerability and Assessment Language
- aporeto-inc/trireme-kubernetes
- jetstack/cert-manager
- Kata Containers
- google/gvisor
- SPIFFE
- Open Policy Agent
References
Official Kubernetes documentation
API and resource references relevant to security (Kubernetes v1.19) docs:
- Namespace
- Secret
- ResourceQuota
- ServiceAccount
- Role
- ClusterRole
- RoleBinding
- ClusterRoleBinding
- PodSecurityPolicy
- NetworkPolicy
Useful kubectl commands
kubectl create secret… docskubectl create serviceaccount… docskubectl create role… docskubectl create rolebinding… docskubectl auth can-i… docs
Providers
The logo uses a padlock icon by Freepik from www.flaticon.com and the Kubernetes logo kudos to the CNCF, The Linux Foundation.