Thank you for being here. If you’ve found your way over by some miracle but are not yet subscribed, please subscribe.
Links
Kubernetes Security Ultimate Checklist: Cloud Native Security Basics Part VI
This blog post provides a good overview checklist of security best practices for Kubernetes. It covers many topics: authentication, authorization, networking, secrets management, and auditing.
The Emergent Cloud Security Toolchain for CI/CD
I recently found this talk by James Wickett again in some notes. Although it is from 2018, most of it holds up very well. The principle of making security part of your toolchain in every step still hasn’t seen the wide adoption I was hoping for.
The Difference Between SCA and Supply Chain Security
Software Composition Analysis (SCA) identifies and assesses the security risks of third-party components used in software. Supply Chain Security (SCS) is a broader concept encompassing all aspects of securing the software supply chain, from development to deployment. A great article by the fantastic Tanya Janca.
Personal Privacy & Security for CISOs
This one is a bit out of the usual kind of links I share. However I felt important to put the spotlight on personal security. This is not only relevant for CISOs, but also for anyone working online.
How to Secure K8s without a cruft of tools?
Authentication and Authorization
In the world of Kubernetes, authentication and authorization form the cornerstone of security. Authentication verifies the identities of users and components, while authorization determines their level of access.
Authentication Mechanisms
Exploring authentication mechanisms such as client certificates and service accounts is vital. These mechanisms establish trust and ensure only authorized entities interact with your cluster.
Role-Based Access Control (RBAC)
RBAC allows you to define fine-grained access policies. Learn how to assign roles and permissions to users and services, mitigating the risk of unauthorized actions.
Network Policies
Kubernetes network policies offer a powerful way to control traffic flow between pods and nodes. By implementing proper network policies, you can curtail unnecessary communication and enhance the security of your clusters.
Image Security
Securing container images is non-negotiable. Learn why using trusted, signed images is essential and how image scanning tools can help you identify vulnerabilities before deployment.
Best Practices for Kubernetes Security
Secure Cluster Setup
A solid security foundation begins with a secure cluster setup. We'll guide you through configuring your Kubernetes securely to prevent initial vulnerabilities. Making the control pane private is a very important first step. Kubernetes APIs and etcd should never be publicly exposed to the internet. They should be in a private network only accessible using a VPN.
Node Security
Your worker nodes are the heart of your cluster. Ensure regular updates to minimize attack surfaces and leverage tools like kube-bench. The nodes should not be directly exposed to the internet, each application is made available through a load balancer to hide the IP addresses of the nodes. Ideally, all traffic is encrypted using TLS/HTTPS.
Use minimal operating systems. It is even better if the file system is read-only as much as possible to reduce potential malware installed. Implement Node Hardening and further reduce any attack surface. This is extra important when managing and operating your kubernetes worker nodes. Regularly update the operation systems and rotate old nodes.
Pod Security
Each pod has its own security context. Use security policies to ensure containers run with the right permissions and restrictions.
Avoid running as a root user or any other highly privileged user. Ensure any secrets used by the pods are limited in scope and impact. Avoid hardcoding sensitive information like passwords and API tokens directly in your pod configurations. Instead, use Kubernetes Secrets to store and manage such information securely.
Configure your pods to use read-only filesystems whenever possible. This prevents potential attackers from modifying container files, which can help mitigate certain security breaches. Resource limits and requests can prevent resource exhaustion and abuse. Define appropriate resource limits for your containers to avoid consuming excessive CPU, memory, or other resources.
Network policies control communication between pods and are instrumental in segmenting your application. By allowing only necessary communication and denying the rest, you reduce the attack surface and limit the lateral movement of threats. Configure your pods to use read-only filesystems whenever possible. This prevents potential attackers from modifying container files, which can help mitigate certain security breaches.
Secure Communication
Encrypted communication is crucial outside and within your cluster. Using TLS for communication between your services, nodes, and external partners is as important as ensuring secure communication from the outside in. Most Cloud Service Providers offer certificate services that can be used with kubernetes. Another free option is using Let's Encrypt with Certmanager.
Not only your workloads and users should be using secure communication. Also, your interactions with your cluster control pane must be secured anytime. Try to aim for 100% encryption in transit.
Monitoring and Auditing
Monitoring can be its own pandora’s box. Choose a system that works for you, can store data longer than 30 days, and has the ability to generate alerts based on logs. Define some key metrics that are the baseline. Then, define alerts that are outside of regular operations. For security monitoring, we are interested in error rates and abnormalities. Part of your monitoring should include logging. Building metrics based on logs gives you correlation superpowers.
Audit logging must be enabled for any Kubernetes System; most Cloud Providers have it tied up with their own in-house built logging solution. This is sometimes extra to your current logging stack and can be an issue. Your applications should also have audit logs, that clearly document who is doing what and where. All of these audit logs must be stored securely and tamperproof away from the rest of the systems.
Need help? Let’s talk: andy@occamslabs.com.
Thank you
Thank you for reading along. If you have feedback or questions, message me andy@occamslabs.com. I would appreciate it if you shared it with people that can benefit from the newsletter.