Since the inception of the project, security for Kubernetes has come a long way. While this is true, it still contains a few “gotchas.” Beginning with the control plane, building up through the workload and network security, and completing with a projection into the future of security. While this is true, there are several tips to help fortify your clusters and increase overall resilience if they become compromised.
Table of Contents
The Control Plane
Kubernetes’ brain is the control plane. It has a so-called “birds-eye” view of all your container and pods running on the specified cluster, will effectively schedule new pods, and can read the secrets that have been stored within the cluster. This is all valuable cargo that needs protecting from malicious intent and accidental leakage. This is necessary when it is accessed, at rest, or transported through the network.
Use the tips and information here to achieve the high level of protection required.
Implement TLS Everywhere
You should enable TLS for all components that support it to prevent issues such as traffic sniffing, to verify the server’s identity, and to verify the client’s identity. Take note, there are some components and certain installation methods that may allow local ports through HTTP, which means administrators need to become familiar with the settings of these components to identify any traffic that may be unsecured.
Implement Third-Party Authorization for the API Server
Centralizing authentication and authorization across your organization, such as a single sign-on, helps with consistent permissions, offboarding, and onboarding for users. By integrating Kubernetes with a third-party auth provider, such as GitHub or Google, it’s possible to use the remote platforms identity guarantees and prevents the administrators from being forced to reconfigure the Kubernetes API server to add or to remove users.
If you plan to use, for example, the Python client framework – pvcwatch, you need to implement this third-party authorization before transferring any information to ensure security. Failure to implement the security measures mentioned and ignoring crucial information, such as Kubernetes log aggregation reports can result in serious issues, hacks, and data loss or compromise.
Separate the etcd Cluster and Firewall
The etcd cluster is responsible for storing sensitive information, and it is considered a crucial Kubernetes component. With this in mind, it’s clear this may need unique protection besides what you currently use for the remainder of your cluster.
Having write access to the API server’s etcd cluster is essentially the same thing as gaining access to the entire cluster. Even just read access may be used to help escalate privileges with ease.
With the Kubernetes scheduler, the tool will search the etcd for any pod definitions that don’t have a node. It will then send the pods that it finds to one of the available kubelets for scheduling purposes. The API server will provide validation for the submitted pods before they are written to the etcd, which means that a malicious user writing directly to the etcd cluster has the ability to bypass many of the security mechanisms in place. As a result, it’s up to you to put security measures in place to ensure this doesn’t happen.
For superior protection and security, use peer and client TLS certificates for the configuration of etcd, and deploy this only on dedicated nodes. If you want to reduce the risk that private keys will be stolen and then used from a worker node, you can also have the cluster firewalled to your API server.
Rotate Your Encryption Keys
Today, encryption is a key element of online safety. This is true for any system and language used, including Python. With this in mind, for Kubernetes security, a best practice is to make sure you are rotating your encryption certifications and keys so that you can limit the “blast radius,” if a key compromise occurs.
There are some certificates that will be rotated automatically by Kubernetes. This is done by creating a new CSR as the current credentials expire. While this is true, the synthetic encryption keys used by the API server to encrypt the etcd values aren’t automatically rotated, which means it’s up to you to rotate them manually. You must have master access to do this. If you don’t do this regularly, it may compromise the entire configuration you have in place.
Python and Kubernetes: The Security First Approach
Running python apps through or on Kubernetes can be effective and efficient. However, before deploying these processes through this application ensuring your system is safe and secure is a must. While the tips here can help, knowing the system’s inner workers is key to find and stop potential hacks and breaches.
Working with the professionals may also be beneficial, as they can provide more information regarding python, Kubernetes, and logging to ensure you are using these technologies to their full potential.