5 Best Practices for Kubernetes Security

Kubernetes has become a de facto standard container orchestration tool. Many companies decided to use managed Kubernetes because it’s very easy to set up and requires less maintenance work than other platforms. But, the fact that a cloud provider manages Kubernetes for you doesn’t mean it’s automatically very secure. It’s not that your cloud provider doesn’t do a good job. Rather, it’s because Kubernetes security depends quite heavily on runtime configuration and how you built and run your containers. In this post, you’ll learn about the most important and easiest security improvements you can make yourself.

Do Not Run Containers As Root

The first and arguably the most important tip is: do not run containers as root. You may have all the security tools in the world, but if you run containers as root, you make your cluster incredibly easy to exploit. The root user in the container maps directly to the root user on the underlying host. It doesn’t mean that you can just run any command on the host as root. Kubernetes has a built-in mechanism preventing that. But from time to time, we hear about vulnerabilities allowed to escape from the container. Of course, an attacker would have to first get access to that container. But that’s the case with almost all attack vectors.

Use Container Image and Runtime Scanners

These tools are extremely handy in a Kubernetes ecosystem. Microservices usually employ dozens of different containers built from various images. If an image scanner detects a zero-day vulnerability for a library that houses one of your images, the scanner will quickly notify you. A runtime security tool, on the other hand, will notify you as soon as suspicious action is taken within the container. Executing a shell command or running cURL? You’ll get an alert.

Do Not Allow SSH Access to K8s Nodes

SSH access to Kubernetes nodes can be useful. It allows you to quickly log in and check for issues, restart a container, or check logs. However, SSH access to Kubernetes is a huge security risk. If you build your monitoring system well, you shouldn’t need to SSH to the nodes at all. If you use managed Kubernetes from a cloud provider, SSH access might be disabled by default — and you should keep it that way.

Restrict Network Access

You can’t make your application 100% bulletproof. There will always be a chance that an attacker will be able to execute a command from your container. You can, however, significantly limit what the hacker could do by implementing network security policies. The idea is to block all unnecessary traffic to your containers. For example, a simple, unessential “side microservice” shouldn’t be able to access your database or payment API containers. Front-end containers shouldn’t be able to access the database either. Hackers usually find weak spots in your infrastructure, right? The API and other core components of your applications are usually the hardest to hack (because you spend most of your developments efforts on them). The other, less important microservices, however, are usually easier to get into. Without network restrictions on these microservices, an attacker can more likely access the database. And that’s exactly what network policies help you avoid.

Keep Your Kubernetes Updated

It may sound obvious that keeping Kubernetes updated is a good security practice. Unfortunately, many companies still stick to older versions of the system. Some companies are afraid of upgrading, while others put it off until the very last moment. It may not seem like a big deal, but delaying updates leaves your software at risk: only the last three major versions of Kubernetes receive patches for newly discovered vulnerabilities. If you want to keep yourself safe but at the same time you don’t like the idea of running the latest version, you can keep your Kubernetes one or two versions behind.

Summary

As you can see, implementing simple security improvements for Kubernetes is easy. You can sleep better after executing the above tips. However, if you want to go further than basics, there’s a bit more work to do. A lot depends on how your cluster was built. Whether you or a cloud provider manages your cluster will determine what security measures you can take. Therefore, advanced security requires a deeper understanding of Kubernetes internals. A great way to gain that knowledge is to attend this Advanced Kubernetes Boot Camp. An experienced technologist will cover the most important topics with theory and practice. You’ll get a deep understanding of Kubernetes Core components, networking, and running applications. Finally, you’ll also learn more about securing Kubernetes. It’s a great way to improve your skills and learn how to keep your system running well. Sign up today!

An Alten Company, Cprime is a global consulting firm helping transforming businesses get in sync.