Best practices in Securing Kubernetes Cluster & Workloads

*************************************************************

Journey to Securing K8 cluster

1. API server and Cluster Security:

• restrict Access to kubectl
• use RBAC for Users, Groups & Service Accounts(restrict calls->API server)
• use Network policy
• Use Namespaces (access limit)
• Bootstrap TLS certs (own CA for your Cluster)

2. Basic security checks:

• Upgrade Kube version (Master and Worker Nodes)
• use Minimal OS in Containers
• assign Minimal permissions to IAM Roles (least privileges)
• use Private IP’s to Worker nodes
• use Audit logging (all API server calls)

3. Prevent known attacks:

• disable Kube Dashboard (Read only)
• disable default Service Token (by default: every Pod gets a default Token with some permissions)
• protect Node metadata
• Scan all Docker images for vulnerabilities

4. Secure Microservice

• set Pod security policy for every Pod(restrict what Pods can do)
• protect & encrypt Secrets
• limit Identity used by Pods
• use Service Mesh for AuthN and Encryption

******************************************************************

Top 6 : must have security controls:

• restrict Access to kubectl: allow only authorized users to call API server
• Native Kube RBAC : Define Roles with Set Permissions & bind this Role with Identities
• Network Policy: control Traffic between (Pod to<->Pod) open by default
• Protect Kube Dashboard: Deny all by default, but allow restricted access to Dashboard using Roles and Service Account
• Disable the default Service Account Token for Pods: disable automatic mounting of Default Service account Token inside Pods(every Namespace has its own default Service Account). Pods can use Default SA as an Identity, to talk with Master API Server.
• Pod Security Policy: use Docker Seccomp, restrict Pod actions (In Kubernetes API server, enable the Admission controller for “PodSecurityPolicy”)

**Source: Google Next 2018 conference sessions

******************************************************************

We can Restrict network access to Kube API server (Master Nodes), using specific IP address ranges (CIDR)

Only specific IP addresses can call -> Kube API server.

Authorized networks: let you restrict the Range of IP addresses that can access your Master (Kubectl API server)

*****************************************************************

User RBAC to set Permissions on Individual resources.

Identities <- Roles <- Permissions

You can Bind (Role) with -> (User, Groups, Service Account)

in Google GKE service: use RBAC to set permissions at Cluster & Namspace

******************************************************************