5 practical tips to lock up your Kubernetes security
September 8, 2022
Kubernetes is quickly becoming the leading container orchestration and management technology. And as with all shiny new things, it’s attracting a lot of attention — especially from attackers. In fact, 94% of respondents admitted to experiencing a security incident in their K8s environment in the last 12 months, according to the State of Kubernetes Security Report.
So what can you do to shore up your Kubernetes environment?
Remember, it’s okay to start with baby steps: the cloud wasn’t built in a day. But you do want to start somewhere.
Here are some actions you can take to reduce the risk of an external or internal cyber threat from compromising your containers. We’ll also throw in some suggestions on how continuous monitoring can help you comply with what feels like a mounting list of regulations and frameworks.
- Start simple by fixing IaC at check-in
You know that Infrastructure as Code (IaC) helps you accelerate and simplify cloud deployments. You also know that if it goes wrong, it can go horribly wrong. By monitoring IaC at check-in, you can identify and remediate issues at the source, before they get replicated widely.
Our advice, then, is pretty much a no-brainer. Use IaC scanning to inspect code as it is committed to Git-based source code repositories, scan the code for misconfigurations or insecurities, and quickly provide violation details within Git.
Boom — you’ve just greatly reduced your risk of a downstream breach or exposure from an accidental mistake.
- Check container configuration at build time
“Check it at build time” may sound simple, but it can quickly become daunting at a large scale. Need to manually check hundreds — or even thousands — of containers within multiple cloud environments? If so, it’s time to embrace automation.
Performing automated security checks within your CI/CD pipeline is critical to keeping your production environment pristine. Before checking your containers into registries, conduct integrated scans to keep your base operating systems, packages, and libraries free from any misconfigurations or vulnerabilities.
If you want to earn some bonus points, use the K8s Admission Controller as a final check before container deployment. This tool takes your security one step further, enabling you to evaluate requests after the K8s API server has already authenticated and authorized them.
- Try out roles-based access (RBAC) control
Kubernetes offers an extensive, built-in RBAC framework that lets you control access and permissions for the Kubernetes API. This can help you do things like limit users and groups to just the actions and tasks they need. Follow the principle of least privilege to ensure that users, applications, and Kubernetes service accounts have the minimal set of privileges required.
It’s best to avoid default service accounts and clusterwide permissions whenever possible. For instance, limit Kubernetes API access to an RBAC Role or ClusterRole, and use multi-factor authentication (MFA) to enhance the security of authenticating to the Kubernetes API. And last but not least, keep your RBAC policies current to prevent over-permissioned or expired users from accessing your cloud.
- Monitor. Monitor. Monitor. Did we say monitor?
The often-fleeting nature of containers makes it incredibly difficult to know what’s happening in the cloud. You need to collect data to catch all the events across all the layers: K8s, containers, and workloads. Without continuous collection, visibility can get, well, cloudy!
But visibility is critical, because Kubernetes does not offer any out-of-the-box tools that map network connections or detect network-based threats — at least, not yet!
Look for a solution that will provide deep visibility and context, and that shows connections coming from the nodes and workloads. Understanding what normal network traffic looks like can then enable a runtime monitoring solution to detect abnormal traffic and events, such as operational issues that lead to an increase of errors in east-west traffic or too many calls to an external API blocked by the provider.
And you need to monitor (did we say monitor?) ingress endpoints, too. One of the top concerns for many DevOps teams is accidentally exposing an internal service to the internet. It’s easy to add an external load balancer or ingress in Kubernetes and accidentally expose a service that lacks the proper authentication and authorization required for endpoints.
- Automate threat detection
Let’s face it: when it comes to finding unknown or advanced threats across your Kubernetes environment, the best “best practice” is to use automated, machine-based threat detection. Anomaly detection can identify deviations from your baseline, uncovering any activity that is abnormal. By reducing the burden on your security team, it also frees them up to focus on the risks that pose the greatest threat to your business.
If you’re looking for 5 more tips to help you shore up your K8s security and compliance posture, check out our 10 security best practices for Kubernetes ebook. Inside, you’ll find practical tips to help you reduce costs, consolidate technology, and ensure accurate threat detection for your Kubernetes environment.
Cheers to taking baby steps — consider yourself prepared to speed up your development process and start shifting security left.