Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "what is the method of Kubernetes to achieve security". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Kubernetes looks attractive and can help organizations solve many problems! But anyone who uses it knows how complicated things can get. Kubernetes security is no exception.

Kubernetes is not secure by default. It has multiple ways to attack and often finds CVE. Although you may feel a little overwhelmed when you start using Kubernetes, there are specific strategies that organizations can take to protect your services and infrastructure from compromise on your organization's systems and applications.

First of all, let's get an overview of the ecosystem you want to protect.

Containers: Kubernetes is a container orchestration system. Therefore, any attempt to protect Kubernetes must secure the containers it deploys, including the pipelining to build and deploy containers. Linux and Windows: the container contains an operating system (OS), so we have to think about how to protect OS (whether it's Linux,Windows or both). Kubernetes:Kubernetes itself is both an API server and a distributed system for agents and etcd databases in the same network, all of which need to be protected.

Using hosted Kubernetes solutions (such as those provided by cloud providers) can usually provide you with better default configuration or more manageable features. But they are also insecure if you do not choose the correct configuration.

For example, the most secure way to authenticate a Kubernetes cluster is to use OAuth. You can use a managed Kubernetes solution, usually using private client certificate files, or authentication of usernames and passwords.

Instead, the managed Kubernetes supports the container network interface for configuring network policies (internal services facilitate container and Pod communication over the Kubernetes network).

Next, let's look at how to protect each component in turn.

Container

If an organization needs to build a container securely, it must deploy and run in the system using a trusted container image.

Construction

Building secure containers requires scanning for their vulnerabilities-including Linux system packages and application packages for programming languages such as Python or Ruby. Application developers may be used to scanning application dependencies, but because they deliver the entire operating system with the application, they must also be supported in securing the operating system.

To support this on a large scale, consider using tools such as Cloud Native Buildpacks, which allow organizations or operations teams to do standardized container builds that developers can use to drag and drop their applications into them-completely replacing the project's Dockerfile. These centralized builds can be kept up-to-date so that developers can focus on what they are good at without having to repeat DevOps operations manually.

The Container Image scanning tool scans the layers of the built image for known vulnerabilities and checks and ensures that your builds and dependencies are up-to-date. They can be run during the development process as well as in the CI pipeline, allowing developers to discover vulnerabilities first. The best practice is to reduce the container to the minimum required to run the application.

A good way to prevent attacks is to have a container without shell!

Signature

So now you've built a secure container. But how do you determine which container you are building is a container that needs to be deployed to the cluster?

Docker supports the use of keys to sign the image, which can then be authenticated when pulling and deploying the image. A signing container, similar to adding an TLS certificate to an endpoint.

It prevents man-in-the-middle attacks attacks by verifying that the container image to be pulled is exactly the same as your mirror push image. To do this, you need to have the same key on both the pull and push container images.

Here's how to prevent unsigned images from being deployed to your cluster when we check the admission controller.

Linux

Your container may be running Linux or Windows,Kubernetes and supports a mix of Linux and Windows worker nodes.

To secure your system, you still have to perform traditional work-to ensure that the server is exposed only when necessary, that SSH credentials are secure, that the OS library is up-to-date and that user and group permissions are locked.

If attackers have access to your master or worker node, it is easier for them to break into any part of the Kubernetes system-whether it's API or kubelet agents. Even in a native cloud environment, good old sysadmin work is still needed, whether delegated to a cloud provider or done on its own.

Kubernetes

Complete Kubernetes security practice, you can publish a book. But for this discussion, the most critical aspects are role-based access control (RBAC), admission controller and network policy.

In addition, cloud native security platforms can help close minor loopholes.

RBAC

Who can do what in your cluster? Role-based access control (RBAC) answers this question.

Kubernetes provides the ability to grant specific permissions to users and service accounts (service accounts) throughout the cluster and in a given namespace (namespace).

Some sample use cases allow all team members to view each other's application details, but can only make changes in their own dedicated namespaces, and only a few reviewed people can delete the content there.

These vary from organization to organization, but actively managing RBAC is critical to cluster security.

Admission Controller (Admission Controllers)

The admission controller (AC) is the only way to achieve full Kubernetes security. Unless the container specification meets certain conditions, AC prevents containers from scheduling and running in the cluster. There are many types of AC, but two of them are well worth using: PodSecurityPolicy AC and AC with verifiable signature images.

(PSP) lies somewhere between the attacker and the most vulnerable aspect of the Kubernetes system. For example, a container in Kubernetes can require that any path be installed on the underlying host using storage volumes of type "hostPath" (such as Docker sockets).

The container that mounts the Docker socket can run any docker command on the host as the root user without privileges. It's horrible! The only way to prevent this is for PSP to disable hostPath volumes. The PSP setting can also block several other important attack paths. If you only do one thing to protect the cluster, you should create a PSP and enable the PSP admission controller.

Earlier, we discussed how to sign your container image to establish a chain of trust. How can it be done? Using Open Policy Agent (OPA) AC, you can check that each container image has a valid signature before allowing it to enter the cluster. You can also refer to the excellent guide for using Notary and OPA together to build a complete chain of trust from build to deployment.

Network Policy (Network Policies)

Kubernetes network policies, like the internal firewall rules of a cluster, should state their importance. They allow administrators to configure clusters for the following scenarios:

One namespace (namespace) can only communicate with another namespace (namespace) where the dependency resides. External traffic can only reach API gateway containers, not other containers. Except for the DNS registry (DNS registry.) All containers outside of, other containers are prohibited as network exits.

If you are managing your own cluster rather than using a solution managed by a cloud provider, you need to study the available CNI to understand how effective networks are supported by NetworkPolicy.

Cloud native security platform

The security situation is changing all the time, and it is developing at an alarming rate, even faster in the cloud native space. Even if all the above steps are taken, it is important to check what is running in real time for signs of anomalies and violations. Platforms such as Prisma Cloud can alert you to such anomalies and proactively prevent unexpected processes from running and establishing network connections.

This is the end of the content of "what is the way for Kubernetes to achieve security". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.