Since its release by Google in 2014, Kubernetes has taken the world by storm. Inspired by Google’s internal “Borg” resource scheduler, Kubernetes can deploy and manage applications on clusters of nodes, scaling those applications horizontally while maintaining their resilience — even as the node hardware or software fails. This “declarative” model, where you indicate the desired end state of the cluster rather than providing step-by-step instructions, has been adopted by DevOps configuration management tools like Terraform, SaltStack, Puppet, and CloudFormation. Kubernetes certainly eases the deployment of applications to clusters in a fault-tolerant, maintainable manner. But how secure is it? I’ve been attacking Kubernetes clusters in penetration tests and found they can vary widely in their resilience to attack. Here are the two main takeaways from these tests:
  1. Make sure your cluster runs a recent version of Kubernetes – the security features have matured quite a bit in the most recent versions.
  2. While the defaults are getting stronger, the best clusters are the ones that the owners have proactively hardened.
In my recent webinar outlined below, I demonstrated an attack against a Kubernetes cluster, as well as an initial defense to break the attack. I also reviewed critical steps for hardening the cluster. Here are some tips to get you started:
  • Set up authorization with custom RBAC service accounts, as well as Node and Webhook authorization
  • Use network policies with strong, specific, default-deny rules on both ingress and egress network traffic
  • Use pod security policies to restrict the capabilities of a hostile pod to interact with the node
  • Stand on the shoulders of others, including Google’s Ahmet Balkan, Red Hat’s Jordan Liggitt, and the community at the Center for Internet Security
To learn more, be sure to check out the on-demand webinar — and stay tuned for my upcoming white paper, where I'll reveal additional strategies for defending Kubernetes clusters.