Kubernetes and containers have become the go-to technologies for deploying and scaling applications. However, their newness and the exposure of port services to the internet increase the risk of security breaches. Attackers can easily target sensitive data and privileged system accounts. This article presents ten practical measures to ensure the security of Kubernetes and containers.

Utilize predefined environments:

Using predefined environments is an effective way to enhance the security of Kubernetes and containers. Instead of setting up a new environment for each application, predefined environments limit resources and privileges, reducing the likelihood of skipping security audits. To create predefined environments, add a file to the Kubernetes cluster’s root directory and create environments, such as production and staging, with specific resources and privileges. Cloud-managed Kubernetes clusters offer an easy way to provision resources with minimal administration.

Ensure auditing is enabled:

Enabling auditing is a simple and effective way to identify security breaches in your Kubernetes cluster. However, despite the high number of cyber-attacks, only 25 percent of organizations enable auditing, according to a study by Varonis. By not enabling auditing, organizations miss out on valuable information and make it harder to detect and fix sensitive data breaches. To enable auditing, create a new file in the root directory of your cluster and establish a service account and role for audit logs.

When trying to enable auditing on your clusters, a few key factors to keep in mind are:

1. What auditing procedures do you follow? What events are you logging?
2. Where do you store the events that you log? (Nearby or away from the cluster?)
3. Is it possible to send your log event using an HTTP API rather than local storage?

Implement Network Isolation:

Kubernetes has built-in network security, but container ports are exposed directly to the internet by default, making them vulnerable to cyber-attacks. To safeguard containers, network isolation is essential. This creates a virtual network that allows container communication while keeping them secure. Network isolation can be established via the Kubernetes Dashboard or the command line, with minimal configuration needed. Virtual networks are especially helpful for multiple tenants on the same Kubernetes cluster.

Make sure Kubernetes and containers are up to date:

Keeping systems up to date is crucial for all applications, including Kubernetes and containers. These technologies are critical components of applications, making it even more important to maintain them properly. A Continuous Integration and Continuous Deployment (CI/CD) pipeline can ensure Kubernetes and containers are up to date by automatically checking and updating their versions. To set up a CI/CD pipeline, create a new file in the root directory of the Kubernetes cluster and define an update strategy for the build and deployment process.

Kubectl commands and known bad containers should be blocked:

Attackers have begun targeting Kubernetes and containers directly, as the Kubernetes API enables them to perform functions like deleting containers and nodes. While blocking known bad IP addresses and domains is helpful, defining authorization and admission policies for your Kubernetes cluster is crucial to prevent malicious container activity. These policies can be established to block unauthorized access and ensure secure container deployment.

Three operations may be used to segment access to the Kubernetes API:

1. User account credentials for authentication
2. Authorization (RBAC guidelines and user-requested operations)
3. Admission Control (computer programmes that function as intermediaries for object operations)

Role-Based Access Control (RBAC) should be used:

Role-Based Access Control (RBAC) is an effective way to ensure Kubernetes and container security. By using the Kubernetes API, RBAC can restrict access to sensitive resources and functions. Establishing a cluster-level policy for all users and containers can limit access to functions like deleting pods or nodes, enhancing overall security.

Make sure your container registry is trustworthy:

While Kubernetes and containers offer the convenience of pushing container images to public or private registries, not all registries are secure. To mitigate this risk, it’s crucial to install a trustworthy container registry. For private registries, you can install a Container Registry on your Kubernetes cluster and use it to push and pull images. Alternatively, for public registries, you can upload images to third-party services like Google Container Registry or Amazon ECR. To add an extra layer of security, enabling vulnerability scanning for your registry can help you identify any potential risks or vulnerabilities associated with public images.

Communicate with containers using authenticated channels:

Securing your container communication is essential to prevent attackers from exploiting unauthenticated Docker or Kubernetes APIs. To achieve this, use authenticated channels for all container communication. Kubernetes API allows you to create a new inbound network rule, which should be specific to a container in your cluster. Installing a network policy provider will enable granular access for both “north/south” and “east/west” network traffic. By creating ingress and egress paths for each pod, namespace, port, and other objects, the policy provider can enforce access or deny rules to improve your container security.

Ensure that your data is encrypted when it is at rest:

Encrypting sensitive data both in transit and at rest is crucial for securing your Kubernetes and containerized applications. While encrypting communications over the internet is important, encrypting data at rest provides an additional layer of security. You can achieve this by encrypting the file system where your data is stored or by using a database encryption tool. Setting up encryption for your file system involves creating an encryption policy for your Kubernetes cluster, which you can use to create a new volume with a specified encryption type. To encrypt your database, you can connect it to your Kubernetes cluster by creating a new database service and schema. This helps ensure that your data remains secure, even if your containerized application is compromised.

Rotate your API keys and Kube configurations:

Although RBAC can help restrict access to sensitive functions and resources, attackers may still be able to bypass these restrictions by stealing or misusing API keys. Consequently, in order to prevent unauthorized access, API keys should be rotated regularly. One way to achieve this is by periodically rotating the Kubelet API keys of your Kubernetes cluster through a corn job. Additionally, enabling the bootstrapping of TLS keys ensures that nodes and services utilize trusted keys that were generated prior to connecting to the Kubelet. TLS certificate rotation is automatically enabled for Kubernetes versions 1.8.0 and higher. By regularly rotating your API keys and utilizing trusted TLS keys, you can further strengthen the security of your Kubernetes cluster.

Conclusion:

Kubernetes and containers provide a great platform for deploying and managing applications in production. However, they can also leave your sensitive data and functionality exposed to the internet, which makes it easy for attackers to steal privileged accounts and target sensitive information. To address these issues, container security frameworks provide specific controls that you can implement to ensure the security of your Kubernetes cluster. These frameworks outline best practices for securing containerized environments and provide guidance on implementing security measures such as network isolation, RBAC, encrypted communications, and regular API key rotation. By following these frameworks, you can ensure that your Kubernetes cluster is well-protected and secure against potential cyber-attacks.

Sysdig is a leading security platform that offers specialized security solutions for containers, Kubernetes, and host systems. The platform is built on open-source technology and follows a Software-as-a-Service (SaaS) model. One of Sysdig’s key strengths is its ability to seamlessly integrate with existing DevOps tools and workflows, making it a perfect solution for organizations that value both security and efficiency in their development processes.

Palo Alto Networks is a leading security platform that offers specialized security solutions for Kubernetes and a worldwide leader in cybersecurity, remains committed to delivering innovative solutions that facilitate secure digital transformation, even as the speed of technological advancements continues to accelerate.