As with all things security-related, “fingers crossed!” isn’t exactly a confident posture. Kubernetes offers a lot of powerful security-oriented features, and the community has shown a strong commitment toward the security of the project. But it’s always best to be proactive, especially if you or your teams are still relatively new to containers and orchestration.
The fundamentals of security hygiene still largely apply, as we noted in our recent article, Kubernetes security: 5 mistakes to avoid. There’s also some new learning to be done to ensure you’re proactively managing the risks inherent in any new system, especially once it’s running in production.
[ Want to help others understand Kubernetes? Check out our related articles, How to explain Kubernetes in plain English and How to explain Kubernetes Operators in plain English. ]
Earlier this year, we shared four important tips for managing the security of your Kubernetes environment. We went back to the experts to ask for more, and they obliged. So let’s expand our strategies with four more tips for proactively managing the security of your Kubernetes implementation.
1. Know what you don’t know
When we dug into some of the common mistakes teams make in the early phases of their Kubernetes deployments, one big one came up repeatedly: People plow into production – often under unrealistic deadline pressure from above – without really testing or understanding the security implications.
“To improve Kubernetes security, seek out expertise,” says Matt Wilson, chief information security advisor at BTB Security. “Plenty of great information is already available from the usual sources, such as CIS Benchmarks, and also directly from Kubernetes. Download them, read them, apply what you can. Then, before you put production applications or data up there, conduct some security testing to validate you’ve done enough.”
We’ll throw a couple of other items for your Kubernetes syllabus:
In terms of knowing what you don’t know – a healthy starting point for any learning curve – the CIS Benchmark for Kubernetesis a good starting point. The open source tool kube-bench, developed by Aqua Security, will check your deployment against the 100+ checks in the CIS Benchmark for Kubernetes.
2. Optimize native Kubernetes controls
Another one of the initial mistakes some teams make is to assume that just because Kubernetes has powerful security controls, those features are optimized out of the gate. They’re not. So ensure you’re adequately tuning those features for your particular organization and its risks.
“Upgrade to the latest version of Kubernetes as frequently as possible [or] practical, [and] enable native controls and learn the optimum settings to make them as powerful and effective as possible,” says Wei Lien Dang, VP of product at StackRox.
Ensuring your software current is an ageless best practice. As for optimizing native features, Dang offers a few examples:
- Configure network policies to segment deployments and restrict allowed ingress and egress traffic.
- Create separate namespaces across deployments for isolation.
- Avoid granting cluster-wide permissions and enable certain powerful permissions only for trusted users to avoid issues, such as a recently disclosed DoS vulnerability.
Some organizations may want to consider augmenting native controls with standalone security tools, particularly if they have a compliance requirement such as PCI. Commercial platforms can also be helpful in this regard.