kubernetes Security Best Practices
Hello Geeks!! Welcome back :)
What is Security Best Practices!!
- Do you go out without locking your house?
- Do you open all the doors and sleep at night?
- Do you think CC cameras will save your property from the threat, ofcourse its just a proof of evidence but do you think it will stop the threat?
- Do you think your security guard will always secure the property?
If a threat comes inside your property, its completely your mistake.
Creating a kubernetes cluster is not a happy ending for your workloads, we have to make sure with security best practices 😃 .
Best Practices —
Restricts the use of wildcards in Roles and ClusterRoles:
Below is the solution:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: example-name
name: example-name
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "deployments", "configmaps", "services", "endpoints"]
verbs: ["get", "watch", "list"]apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: example-name
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "deployments", "configmaps", "services", "endpoints"]
verbs: ["get", "watch", "list"]Minimize the admission of privileged containers:
Running a container with a privileged flag allows users to have critical access to the host’s resources. If a privileged container is compromised, it does not necessarily entail remote code execution, but it implies that an attacker will be able to run full host root with all of the available capabilities, including CAP_SYS_ADMIN.
Below is the solution:
---
apiVersion: v1
kind: Pod
metadata:
name: Somepod
spec:
containers:
- name: container01
image: dummyimagename
securityContext:
privileged: falseMinimize the admission of containers wanting to share the host process ID namespace:
To limit an attacker’s options to escalate privileges from within a container, configure containers to refrain from sharing the host process ID namespace.
Below is the solution:
---
apiVersion: v1
kind: Pod
metadata:
name: somepod
spec:
hostPID: false
containers:
- name: container01
image: dummyimagenameMinimize the admission of containers wanting to share the host network namespace:
To limit an attacker’s options to escalate privileges from within a container, configure containers to not share the host network namespace.
Below is the solution:
---
apiVersion: v1
kind: Pod
metadata:
name: somepod
spec:
hostNetwork: false
containers:
- name: container01
image: dummyimagenameMinimize the admission of containers with allowPrivilegeEscalation:
Set AllowPrivilegeEscalation to False, to ensure RunAsUser commands cannot bypass their existing sets of permissions.
Below is the solution:
apiVersion: v1
kind: Pod
metadata:
name: somepod
spec:
containers:
- name: <container name>
image: <image>
securityContext:
+ allowPrivilegeEscalation: falseMinimize the admission of root containers:
Containers that run as root usually have far more permissions than their workload requires. In case of compromise, an attacker can use these permissions to further an attack on the network.
Below is the solution:
---
apiVersion: v1
kind: Pod
metadata:
name: somepod
spec:
containers:
- name: container01
image: dummyimagename
securityContext:
runAsNonRoot: true
securityContext:
runAsNonRoot: trueMinimize the admission of containers with the NET_RAW capability:
NET_RAW is a default permissive setting in Kubernetes allowing ICMP traffic between containers and grants an application the ability to craft raw packets. In the hands of an attacker NET_RAW can enable a wide variety of networking exploits from within the cluster.
Below is the solution:
apiVersion: v1
kind: Pod
metadata:
name: somepod
spec:
initContainers:
- name: init
image: someimage
securityContext:
capabilities:
drop: ["CAP_NET_RAW"]
containers:
- name: add-capabilities
image: someimage
securityContext:
capabilities:
drop: ["CAP_NET_RAW"]Ensure that all namespaces have Network Policies defined:
Kubernetes network policies specify the access permissions for groups of pods, much like security groups in the cloud are used to control access to VM instances.
Below is the solution:
https://kubernetes.io/docs/concepts/services-networking/network-policies/
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: some-db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: Prod
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978Prefer using Secrets as files over Secrets as environment variables:
Secrets can be mounted as data volumes or exposed as environment variables and used by a container in a pod to interact with external systems on your behalf.
Below is the solution:
Note: Use secrets manager provided by AWS | GCP | AZURE, if your cluster is created in cloud to access the secrets.
apiVersion: v1
kind: Pod
metadata:
name: <pod name>
spec:
containers:
- name: <container name>
image: <image>
env:
- name: <env name>
valueFrom:
- secretKeyRef:
- name: <secret key name>
- key: <secret key>Ensure that the seccomp profile is set to docker/default in your Pod definitions:
The default seccomp profile provides a reliable setting for running containers with seccomp and disables non-essential system calls.
Below is the solution:
apiVersion: v1
kind: Pod
metadata:
name: <name>
annotations:
+ seccomp.security.alpha.kubernetes.io/pod: "docker/default"
or
+ seccomp.security.alpha.kubernetes.io/pod: "runtime/default"Apply Security Context to your Pods and containers:
securityContext defines privilege and access control settings for your pod or container, and holds security configurations that will be applied to a container.
apiVersion: v1
kind: Pod
metadata:
name: <Pod name>
spec:
containers:
- name: <container name>
image: <image>
+ securityContext:That’s It folks!! Please provide your feedback in comments and if this article is helpful give a like (clap)
:)
