5. Details of kubernetes in CVE
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=kubernetes
6. Why kubernetes make security difficult
• Traffic is everywhere. Containers can be dynamically
deployed across hosts or even clouds.
• Increased attack surface. Each container and have a
different attack surface and vulnerabilities which can be
exploited.
• Old security tool. Old models and tools for security will not
be able to keep up in a constantly changing container
environment.
7. Infrastructure Layer
• Turn on audit log
• Never expose a port, which doesn't need exposure
• Host the cluster in a private subnet or VPC if possible
• Limit SSH to kubernetes nodes, use “kubectl” more
• Limit the access to kube-api
8. K8s Control Plane Layer
• Enable RBAC, at least make --anonymous-auth false.
• Enable TLS among component connection
• Encrypting Secret Data at Rest
• Turn on K8s audit logging
• Reserve Compute Resources for System Daemons
• Admission Controllers
9. Admission Controllers
• Enable by set flag in Kubernetes API server
• Admission controllers may be “validating”, “mutating”, or
both
• This admission controller calls any validating webhooks
which match the request. Matching webhooks are called in
parallel
• Caution about using mutating webhooks
13. K8s Workload Layer
• Run Containers as a Non-Root User
• Run a Cluster-wide Pod Security Policy
• Create and Define Cluster Network Policies
• Use namespace for isolation
• Controlling which nodes pods may access
• Controlling the capabilities by setting Resource Quota
• Security Context
15. Deploy Pod Security Policy Via RBAC
• First, a Role or ClusterRole needs to grant access
to use the desired policies.
16. Lessons about using PSP
• If you only want to grant usage for pods being run in the
namespace, you have to create RoleBinding per namespace
• The above lead to a lot of individual rules for different use-
cases and it is difficult to make it maintainable in the long
term.
• RBAC Authorization is based on a whitelist, it is hard to set
Blacklist-based PSP
• Open Policy Agent could solve Blacklist-based problems
21. User Misconfiguration Layer
• One recent study found that 70‒75% of companies have at
least one serious cloud security misconfiguration
Image from https://compliancex.com/embarrassing-6bn-fat-finger-trade-another-blow-to-top-firm/
22. User Misconfiguration Layer
• Donʼt specify default values unnecessarily
• Simple, minimal configuration will make errors less likely
• Put object descriptions in annotations, to allow better
introspection
• Specify the latest stable API version
• Check the configuration on CICD pipeline
• https://kubesec.io/
23. Useful Tool&Documents
• (CIS) Benchmark for Kubernetes
• (CIS) Benchmark for Docker
• aquasecurity/kube-bench
• aquasecurity/kube-hunter
• Sysdig Inspect
• Shopify/kubeaudit
• coreos/clair
• Open Policy Agent