5 Things That Will Improve Your Kubernetes Security Posture

Table of Contents

Kubernetes offers a variety of security controls, but using a default configuration exposes a wide attack surface and leaves you open and vulnerable to potential risks. 

In 2020, nearly 7 out of 10 companies reported a detected misconfiguration in their Kubernetes environment, making it by far the most common type of vulnerability.

2020 State of Containers and Kubernetes Report

Hope isn’t lost if you’re using a default configuration: There are plenty of simple best-practice changes you can make to quickly and easily improve the security posture of your platform

Here are the top five changes you can make immediately that will have the biggest impact on your overall security posture…

1. Restrict access to the Kubernetes API

The Kubernetes API enables you to query and manipulate the state of all resources within your cluster, so restricting access to it is absolutely essential and where your ‘best-practice security’ should start.

What to do:

  • Enable Role Based Access Control (RBAC) and define least privilege policies per user or service requiring access
  • Externalise the identity (auth0) and authorization (authn) roles, whilst retaining policy implementation within Kubernetes
  • Restrict access to the API endpoint and control plane Nodes
  • Disable the insecure API server port (Note: This has been disabled in Kubernetes v1.20 so it’ll only be applicable if you’re using an older version)

2. Encrypt data at rest

‘Data at rest’ is structured or unstructured data that is stored in databases, all in one place. It needs to be secured differently than data in motion, which is why Data At Rest Encryption (DARE) should quickly become one of your priorities to improve your overall Kubernetes security posture.

What to do:

3. Enforce least privileged pod security standards

Within a Pod specification, the SecurityContext has a collection of fields that specify security-relevant settings for a Pod. Without enforcement at a cluster level, these settings could be modified to allow a Pod to run under a privileged context, such as running as a root user, on the host network with access to sensitive service endpoints, and able to mount in file paths on the host which may contain secret data.

By using Pod Security Standards or Admission Controllers, you can enforce the use of least privilege SecurityContext settings for all workloads running in the cluster and reject the creation of any Pods that aren’t adhering to defined policies.

What to do:

4. Container Image Policies

By default, Kubernetes can pull container images defined in your Pod specifications from any destination, as long as it’s reachable from the Node. This introduces the risk that a user (authorised or not) could accidentally or maliciously specify an image to run from an untrusted source, which may cause direct harm to the platform and neighbouring services, resulting in data exfiltration, and increased hosting and auditing costs. 

Employing cluster-level image policy controls significantly reduces this risk and can be achieved via the use of custom admission controllers (i.e. OpenPolicyAgent Gatekeeper).

What to do:

5. Implement default network policies

Kubernetes network policies control the traffic between pods and/or network endpoints. The labels you specify in your network policies determine the traffic that is or isn’t directed towards those rules, ensuring that you know exactly what is accessing your clusters.

Without creating any initial policies, by default your workloads can be accessed by anything within the cluster and can reach out to any internal or external endpoints, increasing the risk of data leaks in the event of a breach.

What to do:

  • Create default deny-all network policies for all ingress and egress traffic in all namespaces, and override with least privilege network policies where required for each service.
  • Protect sensitive cluster endpoints from normal workloads (i.e. via the use of global network policies, depending on your implementation and CNI choice), such as the cloud metadata service endpoint and etcd and prevent this being overridden or bypassed by users.
  • Monitor failures, these can be early indications that something is trying to move laterally.

Do you know where you’re at risk?

The above recommendations are solid strategies to make your clusters more secure but, depending on the number of clusters involved, there’s potentially a mountain of work ahead of you. 

We’ve developed a free 1-day assessment of your Kubernetes clusters to help you determine the relative robustness of your Kubernetes implementation. 

After a single-day audit of your clusters carried out by one of our expert architects, you’ll receive a PDF of the results along with actionable insights on how to harden your security posture.

About Appvia

Appvia enables businesses to solve complex cloud challenges with products and services that make Kubernetes secure, cost-effective and scalable.

Our founders have worked with Kubernetes in highly regulated, highly secure environments since 2016, contributing heavily to innovative projects such as Kops and fully utilizing Kubernetes ahead of the curve. We’ve mastered Kubernetes, and experienced its complexities, so our customers don’t have to. 

Share this article
Twitter
LinkedIn
Facebook
profile-112x112-crop-1
Kashif Saadat
SRE LEAD
Throughout my career I’ve moved across a few roles covering customer support, test automation, software development and platform engineering. In my spare time I chase around my fearless baby as she climbs up walls, kitchen cabinets, furniture and windows trying to give me a heart attack.

The podcast that takes a lighthearted look at the who, what, when, where, why, how and OMGs of cloud computing

Related insights

Managing Kubernetes Secrets with HashiCorp Vault vs. Azure Key Vault Keeping secrets secure...
Namespaces are a vital feature of Kubernetes. They allow you to separate uniquely named...
DevOps teams have rapidly adopted Kubernetes as the standard way to deploy and...
Once you start working with Kubernetes, it’s natural to think about how you...
Self-service of cloud resources Kubernetes has been brilliant at delivering an ecosystem for...
Pods, deployments, and services are just some of the concepts that you need to understand in...
Last week I published a blog, “How to spot gaps in your Public Cloud...
Breaking down the core areas that you should be aware of when considering...
5 tips to help you manage more with less Not every manager of...
Public cloud has provided huge benefits in getting infrastructure and services to people...
This is the story of how three Appvia Engineers contributed so much to...
Overview The UK Home Office is a large government organisation, whose projects and...