Learn essential Kubernetes security practices including RBAC, Network Policies, Pod Security Standards, and securing the control plane. Protect your cluster from common security threats.
Table of Contents
1. Security Overview
Kubernetes security follows a defense-in-depth approach with multiple layers:
- Cluster Security: Secure the control plane and Nodes
- Authentication & Authorization: RBAC, service accounts
- Network Security: Network Policies, encryption
- Pod Security: Security contexts, Pod Security Standards
- Secrets Management: Secure handling of sensitive data
- Image Security: Scan images, use trusted sources
Security is a shared responsibility between cluster administrators and application developers.
2. Role-Based Access Control (RBAC)
RBAC controls who can access what resources in the cluster. It uses Roles, RoleBindings, ClusterRoles, and ClusterRoleBindings.
2.1 Role vs ClusterRole
- Role: Namespace-scoped permissions
- ClusterRole: Cluster-wide permissions
2.2 Role Definition
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
2.3 RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
2.4 ClusterRole Example
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
2.5 Service Account Permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-service-account-binding
namespace: default
subjects:
- kind: ServiceAccount
name: app-service-account
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
2.6 RBAC Best Practices
- Follow principle of least privilege
- Use namespaced Roles when possible
- Regularly audit RBAC permissions
- Use service accounts for Pods
- Avoid cluster-admin unless necessary
3. Network Policies
Network Policies control traffic flow between Pods. They act as a firewall for Pods, allowing or denying connections.
3.1 Network Policy Requirements
- Requires a CNI plugin that supports Network Policies (Calico, Cilium, etc.)
- By default, all Pods can communicate
- Network Policies are additive - if any policy allows, traffic is allowed
3.2 Network Policy Definition
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow
namespace: default
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
3.3 Deny All Traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
3.4 Allow All from Namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-namespace
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
name: trusted-namespace
3.5 Network Policy Best Practices
- Start with deny-all, then allow specific traffic
- Use labels consistently for podSelector
- Test policies in non-production first
- Document allowed traffic flows
- Monitor network policy violations
4. Pod Security Standards
Pod Security Standards define three policies that restrict Pod behavior: Privileged, Baseline, and Restricted.
4.1 Security Levels
- Privileged: Unrestricted (not recommended)
- Baseline: Prevents known privilege escalations
- Restricted: Most restrictive, follows hardening best practices
4.2 Pod Security Context
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:1.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
4.3 Namespace-Level Pod Security
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
4.4 Pod Security Admission
Pod Security Admission (PSA) is built into Kubernetes and enforces Pod Security Standards at the namespace level.
4.5 Security Context Best Practices
- Run as non-root user
- Set readOnlyRootFilesystem when possible
- Drop all capabilities, add only what's needed
- Use seccomp profiles
- Set resource limits
5. Secrets Management
Proper secrets management is critical for cluster security.
5.1 Kubernetes Secrets Limitations
- Base64 encoded, not encrypted
- Stored in etcd in plain text
- Anyone with API access can read Secrets
5.2 Enable Encryption at Rest
Configure etcd encryption to encrypt Secrets at rest:
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <base64-encoded-key>
- identity: {}
5.3 External Secret Management
For production, consider external secret management:
- HashiCorp Vault: Comprehensive secret management
- AWS Secrets Manager: AWS-native solution
- Azure Key Vault: Azure-native solution
- Google Secret Manager: GCP-native solution
5.4 Secret Rotation
Implement secret rotation strategies:
- Rotate secrets regularly
- Use CI/CD pipelines to update secrets
- Restart Pods after secret updates
- Monitor secret age
6. Image Security
Container images are a common attack vector. Secure your images:
6.1 Image Scanning
- Scan images for vulnerabilities before deployment
- Use tools like Trivy, Clair, or Snyk
- Integrate scanning into CI/CD pipelines
- Block deployment of images with critical vulnerabilities
6.2 Image Policies
Use admission controllers to enforce image policies:
- Require images from trusted registries
- Block images with known vulnerabilities
- Enforce image signing
- Use image pull secrets
6.3 Image Best Practices
- Use minimal base images (Alpine, distroless)
- Keep images updated
- Don't include secrets in images
- Use multi-stage builds
- Sign images cryptographically
7. Control Plane Security
Secure the Kubernetes control plane:
7.1 API Server Security
- Use TLS for all API Server communication
- Enable RBAC
- Use admission controllers (Pod Security, OPA Gatekeeper)
- Restrict API Server access to authorized networks
- Enable audit logging
7.2 etcd Security
- Encrypt etcd data at rest
- Use TLS for etcd communication
- Restrict etcd access to API Server only
- Regularly backup etcd
- Use strong authentication
7.3 Node Security
- Keep Nodes updated
- Use CIS Kubernetes Benchmark
- Enable Node authorization
- Restrict kubelet API access
- Use secure container runtime
7.4 Audit Logging
Enable audit logging to track API access:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
omitStages:
- RequestReceived
8. Best Practices
8.1 Follow Least Privilege
Grant only the minimum permissions necessary. Use RBAC to enforce this.
8.2 Enable Network Policies
Use Network Policies to restrict Pod-to-Pod communication. Start with deny-all.
8.3 Use Pod Security Standards
Enforce Pod Security Standards at the namespace level. Use Restricted policy when possible.
8.4 Encrypt Secrets at Rest
Enable etcd encryption to protect Secrets stored in the cluster.
8.5 Scan Container Images
Integrate image scanning into your CI/CD pipeline. Block vulnerable images.
8.6 Keep Kubernetes Updated
Regularly update Kubernetes and all components to patch security vulnerabilities.
8.7 Enable Audit Logging
Enable audit logging to track all API access and detect suspicious activity.
8.8 Use Admission Controllers
Use admission controllers like OPA Gatekeeper or Kyverno to enforce policies.
8.9 Regular Security Audits
Conduct regular security audits and penetration testing. Use tools like kube-bench.
Summary: Kubernetes security requires a multi-layered approach: RBAC for access control, Network Policies for network isolation, Pod Security Standards for runtime security, proper secrets management, image scanning, and securing the control plane. Follow the principle of least privilege and regularly audit your security posture.
0 Comments