Use network security policies to restrict cluster level access
β¨ Network Policies, Declare Network Policy
β‘οΈ Notes:
- NetworkPolicies allow you to prevent or restrict network communication to and from Pods
- They are "an application-centric construct which allow you to specify how a pod is allowed to communicate with various network entities over the network"
- They "do not conflict; they are additive"
- Ther are stateful, so the replies to outbound requests still reach the application
π‘ Tips:
- Explain given YAML with online tools, like Isovalent: Network Policy Editor or Tufin: Kubernetes Network Policies Viewer
βοΈ Practice
π Read more:
- Anthos security blueprint: Restricting traffic
- Ahmet Alp Balkan: Kubernetes Network Policy Recipes
- Calico: Get started with Kubernetes network policy
- Security People: An Introduction to Kubernetes Network Policies
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
β‘οΈ Notes:
- The Center for Internet Security (CIS) Kubernetes Benchmark is the product of a community consensus process and consists of secure configuration guidelines developed for Kubernetes
π kube-bench
π‘ Tips:
- Use
kube-benchlogs to view the CIS benchmark output - The CIS benchmark output includes remediations steps one can follow to fix the issues that have been reported
kubeadmclusters use a kubelet configuration file located at/var/lib/kubelet/config.yaml(can be seen from/etc/systemd/system/kubelet.service.d/10-kubeadm.conf)- In a
kubeadmcluster, control plane components run as static pods whose definitions are in/etc/kubernetes/manifestfolder
βοΈ Practice
π Read more:
- Aqua: Kubernetes CIS Benchmark Best Practices
- DevSec Hardening Framework: CIS Kubernetes Benchmark - InSpec Profile
- GKE: CIS Benchmarks
- Microsoft Compliance: CIS Benchmarks
Properly set up Ingress objects with security control
β¨ Ingress > TLS, Generate Certificates Manually > openssl
π‘ Tips:
- TLS termination can be implemented using an Ingress
- TLS certificates are stored as Secret which are referenced in the Ingress using the
spec.tls[].secretName
βοΈ Practice
π Read more:
- Ingress Controllers
- Set up Ingress on Minikube with the NGINX Ingress Controller
- Ingress-Nginx Controller: Installation Guide, TLS/HTTPS
Protect node metadata and endpoints
β¨ Restricting cloud metadata API access, Kubelet authentication/authorization, Set Kubelet Parameters Via A Configuration File
βοΈ Practice
π Read more:
- Kubelet API, by Deep Network
- Setting up secure endpoints in Kubernetes
- GKE Protecting cluster metadata
- Retrieving EC2 instance metadata
- EC2 Instance user data
Minimize use of, and access to, GUI elements
β¨ Deploy and Access the Kubernetes Dashboard
π Read more:
Verify platform binaries before deploying
β¨ Install and Set Up kubectl on Linux
π‘ Tips:
- Perform MD5 checks on binaries against official releases.
βοΈ Practice
π Read more:
𧡠Next: Cluster hardening