Kubernetes Security Report Finds People Have No Idea How To Use Kubernetes

Kubernetes Security

  • Introduction
  • NSA National Security Agent Kubernetes Hardening Guidance
  • CIS Benchmarks and CIS Operator
  • Service Accounts
  • Kubernetes Secrets
  • Encrypting the document for Kubernetes. SSL certificates with Letโ€™s Encrypt in Kubernetes Ingress via cert-managing director
  • RBAC and Access Control
  • Kubernetes and LDAP
  • Admission Command
  • Kubernetes Security Best Practices
  • Kubernetes Hallmark and Authorization
    • Kubernetes Authentication Methods
    • X.509 client certificates
    • Static HTTP Bearer Tokens
    • OpenID Connect
    • Implementing a custom Kubernetes authentication method
  • Pod Security Policies (SCCs – Security Context Constraints in OpenShift)
  • Security Profiles Operator
  • EKS Security
  • CVE
  • Videos
  • Tweets


  • cilium.io
  • Dzone – devops security at scale
  • Dzone – Kubernetes Policy Management with Kyverno
    • github Kyverno – Kubernetes Native Policy Direction
    • nirmata.com: Automobile-labeling Kubernetes resources with Kyverno
  • Dzone – OAuth 2.0
  • Kubernetes Security Best Practices ๐ŸŒŸ
  • jeffgeerling.com: Everyone might be a cluster-admin in your Kubernetes cluster
  • Microsoft.com: Attack matrix for Kubernetes ๐ŸŒŸ
  • codeburst.io: seven Kubernetes Security Best Practices You Must Follow
  • thenewstack.io: Laying the Groundwork for Kubernetes Security, Across Workloads, Pods and Users
  • horovits.wordpress.com: Kubernetes Security Best Practices
  • containerjournal.com: How to Secure Your Kubernetes Cluster ๐ŸŒŸ
  • medium: How to Harden Your Kubernetes Cluster for Production ๐ŸŒŸ
  • kubernetes.io: Cloud native security for your clusters
  • tldrsec.com: Risk8s Business: Take chances Analysis of Kubernetes Clusters ๐ŸŒŸ A nada-to-hero guide for assessing the security hazard of your Kubernetes cluster and hardening it.
  • microsoft.com: Threat matrix for Kubernetes ๐ŸŒŸ
  • labs.bishopfox.com: Bad Pods: Kubernetes Pod Privilege Escalation ๐ŸŒŸ What are the risks associated with overly permissive pod creation in Kubernetes? The answer varies based on which of the hostโ€™south namespaces and security contexts are allowed. In this postal service, I volition describe eight insecure pod configurations and the corresponding methods to perform privilege escalation. This article and the accompanying repository were created to help penetration testers and administrators amend empathise common misconfiguration scenarios.
  • sysdig.com: Kubernetes Security Guide ๐ŸŒŸ All-time practices, guidance and steps for implementing Kubernetes security.
  • resources.whitesourcesoftware.com: Kubernetes Security Best Practices ๐ŸŒŸ
  • sysdig.com: Getting started with Kubernetes audit logs and Falco ๐ŸŒŸ
  • thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security
  • thenewstack.io: Best Practices for Deeply Setting up a Kubernetes Cluster
  • stackrox/Kubernetes_Security_Specialist_Study_Guide ๐ŸŒŸ
  • thenewstack.io: A Security Comparison of Docker, CRI-O and Containerd ๐ŸŒŸ
  • github.com/stackrox: Certified Kubernetes Security Specialist Study Guide ๐ŸŒŸ
  • youtube: Kubernetes Security: Attacking and Defending K8s Clusters – by Magno Logan
  • cncf.io: Kubernetes Security ๐ŸŒŸ
  • microsoft.com: Secure containerized environments with updated threat matrix for Kubernetes
  • kyverno.io ๐ŸŒŸ Kubernetes Native Policy Management. Open Policy Agent? Thatโ€™s old school. Securely manage workloads on your kubernetesio clusters with this handy new tool, Kyverno.Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed equally Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to examination policies and validate resources as part of a CI/CD pipeline. youtube: The Fashion of the Future | Kubernetes Policy Direction with Kyverno – youtube: Securing and Automating Kubernetes with Kyverno
    • kyverno.io/policies
      ๐ŸŒŸ K8s policies available in the community repository
  • cyberark.com: Attacking Kubernetes Clusters Through Your Network Plumbing: Office ane
  • redkubes.com: ten Kubernetes Security Risks & Best Practices
  • thenewstack.io: Defend the Core: Kubernetes Security at Every Layer
  • techmanyu.com: Kubernetes Security with Kube-demote and Kube-hunter ๐ŸŒŸ
    • kube-bench ๐ŸŒŸ Checks whether Kubernetes is deployed co-ordinate to security best practices as defined in the CIS Kubernetes Criterion
    • kube-hunter ๐ŸŒŸ Hunt for security weaknesses in Kubernetes clusters
    • k21academy.com: Secure and Harden Kubernetes, AKS and EKS Cluster with kube-bench, kube-hunter and CIS Benchmarks ๐ŸŒŸ
  • Analyze Kubernetes Audit logs using Falco ๐ŸŒŸ Detect intrusions that happened in your Kubernetes cluster through audit logs using Falco
  • weblog.kasten.io: Kubernetes Ransomware Protection with Kasten K10 v4.0
  • helpnetsecurity.com: Kubestriker: A security auditing tool for Kubernetes clusters ๐ŸŒŸ Kubestriker is an open-source, platform-agnostic tool for identifying security misconfigurations in Kubernetes clusters.
  • Kubernetes Goat ๐ŸŒŸ is designed to exist an intentionally vulnerable cluster environment to learn and do Kubernetes security.
  • itnext.io: How-To: Kubernetes Cluster Network Security ๐ŸŒŸ
  • gist.github.com: How to protect your ~/.kube/ configuration
  • levelup.gitconnected.com: Enforce Inspect Policy in Kubernetes (k8s)
  • snyk.io: 10 Kubernetes Security Context settings you should understand
  • magalix.com: Pinnacle 8 Kubernetes Security Best Practices ๐ŸŒŸ
  • redhat.com: The State of Kubernetes Security
  • igorzhivilo.com: Network policy and Calico CNI to Secure a Kubernetes cluster
  • fairwinds.com: Find the Top 5 Kubernetes Security Mistakes Youโ€™re (Probably) Making
  • tigera.io: Kubernetes security policy design: 10 critical best practices ๐ŸŒŸ
  • empresas.blogthinkbig.com: Descubierta una vulnerabilidad en Kubernetes que permite acceso a redes restringidas (CVE-2020-8562)
  • thenewstack.io: Kubernetes: An Exam of Major Attacks ๐ŸŒŸ Abiding vigilance is required to ensure that cloud infrastructure is locked down and that DevSecOps teams accept the correct tools for the task.
  • cloud.redhat.com: Acme Open Source Kubernetes Security Tools of 2021 ๐ŸŒŸ๐ŸŒŸ
  • cncf.io: How to secure your Kubernetes command plane and node components
  • redhat.com: State of Kubernetes Security Report – Jump 2021 (PDF) ๐ŸŒŸ
  • kubernetes.io: Overview of Deject Native Security ๐ŸŒŸ๐ŸŒŸ This overview defines a model for thinking about Kubernetes security in the context of Cloud Native security.
  • elastisys.com: NSA and CISA Kubernetes Security Guidance: Summarized and Explained
  • learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault ๐ŸŒŸ
  • talkingquickly.co.uk: Kubernetes Single Sign On – A detailed guide ๐ŸŒŸ
  • armosec.io: A Practical Guide to the Different Compliance Kubernetes Security Frameworks and How They Fit Together ๐ŸŒŸ๐ŸŒŸ
  • thenewstack.io: How to Secure Kubernetes, the Bone of the Cloud
  • akhilsharma.piece of work: The 4Cโ€™s of Kubernetes Security
  • Kubernetes security thing: Always exist careful of what you are letting your users choose for usernames. If someone has a username of
    on an external Identity arrangement, Kubernetes will quite happily give them the rights of the controller manager. The
    flags are userful for preventing this in OIDC integrations.
  • medium: Securing the Kubernetes cluster | Lessandro Z. Ugulino
  • infoworld.com: The race to secure Kubernetes at run time
    A new wave of startups is looking to help developers secure their containerized applications afterwards they go into production. Is this the futurity of awarding security?
  • goteleport.com: Kubernetes API Access Security Hardening
  • infoworld.com: Securing the Kubernetes software supply concatenation with Microsoftโ€™s Ratify Microsoftโ€™s
    proposal adds a verification workflow to Kubernetes container deployment. The Ratify team has some demo code in their GitHub repository that shows how to use Ratify with Gatekeeper in Kubernetes. Ratify installs using a Captain nautical chart, bringing along some sample configuration templates.
  • amazicworld.com: Top 5 security threats unique to a Kubernetes and Cloud Native stack
  • peoplactive.com: Kubernetes and Container Security Checklist to Build Secure Apps
  • venturebeat.com: Kubernetes security volition have a breakout year in 2022
  • medium: Comparing Kubernetes Security Frameworks and Guidance
    ๐ŸŒŸ Comparison popular Kubernetes security and compliance frameworks, how they differ, when to employ, common goals, and suggested tools.
  • aninditabasak.medium.com: A Lap around Kubernetes Security & Vulnerability scanning Tools โ€” checkov, kube-hunter, kube-bench & Starboard
  • web log.gitguardian.com: Hardening Your Kubernetes Cluster – Threat Model (Pt. 1)
    ๐ŸŒŸ The NSA and CISA recently released a guide on Kubernetes hardening. Weโ€™ll comprehend this guide in a three part series. Beginning, allowโ€™s explore the Threat Model and how it maps to K8s components.

    • web log.gitguardian.com: Hardening Your Kubernetes Cluster – Guidelines (Pt. two)
      ๐ŸŒŸ In this second episode, nosotros volition get through the NSA/CISA security recommendations and explain every piece of the guidelines.
  • blog.devgenius.io: How is security managed in Kubernetes clusters? Best practices for managing security in Kubernetes at diverse layers
  • blog.gitguardian.com: Kubernetes Hardening Tutorial Role 1: Pods Get a deeper understanding of Kubernetes Pods security with this starting time tutorial. Later reading this article, you will learn:
    • How not to run pods every bit root
    • How to use immutable root fs (lock the root filesystem)
    • How to do Docker prototype browse locally and with your CI pipelines
    • How to use PSP
    • blog.gitguardian.com: Kubernetes Hardening Tutorial Office 2: Network How to reach Control Plane security, truthful resource separation with network policies, and use Kubernetes Secrets more than deeply.
  • infoworld.com: 10 steps to automating security in Kubernetes pipelines DevOps teams donโ€™t need to cede the speed of containerized evolution if they know what can be automated, why itโ€™s important, and how to practice it
  • medium.com/@jonathan_37674: Kubernetes Security Best Practices: Definitive Guide
  • isovalent.com: Detecting a Container Escape with Cilium and eBPF In this article youโ€™ll acquire how an aggressor with access to a Kubernetes cluster can escape from a container and:

    • run a pod to gain root privileges
    • escape to the host
    • persist the set on with invisible pods and fileless executions
  • mattermost.com: The Top vii Open Source Tools for Securing Your Kubernetes Cluster

  • infoworld.com: 10 steps to automating security in Kubernetes pipelines
    DevOps teams donโ€™t need to sacrifice the speed of containerized development if they know what tin can be automated, why itโ€™s important, and how to do it.
  • towardsdatascience.com: How to Secure your Kubernetes Deployment ๐ŸŒŸ It takes twenty years to build a reputation and few minutes of cyber-incident to ruin it. โ€” Stephane Nappo. Kubernetes deployments are not safe by default and you should get the extra mile and secure the gates. Fortunately, tools like
    allow us focus our attention on specific areas of the cluster.
  • web log.flant.com: Kubernetes cluster security assessment with kube-demote and kube-hunter
  • developers.redhat.com: Secure your Kubernetes deployments with eBPF Learn how to use eBPF and the Security Profiles Operator to automatically generate seccomp profiles, a Linux kernel security characteristic for Kubernetes
Popular:   This Company Thinks It Can Fix Enterprise Vpns For Good

NSA National Security Agent Kubernetes Hardening Guidance

  • nsa.gov: NSA, CISA release Kubernetes Hardening Guidance ๐ŸŒŸ๐ŸŒŸ
  • Kubernetes Hardening Guidance ๐ŸŒŸ๐ŸŒŸ
  • thenewstack.io: The NSA Tin can Help Secure Your Kubernetes Clusters
  • therecord.media: NSA, CISA publish Kubernetes hardening guide ๐ŸŒŸ๐ŸŒŸ
    • Scan containers and Pods for vulnerabilities or misconfigurations.
    • Run containers and Pods with the least privileges possible.
    • Use network separation to control the amount of damage a compromise can cause.
    • Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
    • Use strong authentication and authorization to limit user and administrator access equally well as to limit the attack surface.
    • Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
    • Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately deemed for and security patches are applied.
  • cloud.redhat.com: OpenShift and the NSA-CISA โ€˜Kubernetes Hardening Guidanceโ€™ Red Hat OpenShift is the quickest path to meeting the NSAโ€™s Kubernetes hardening guidance
  • Kubescape
    kubescape is the starting time tool for testing if Kubernetes is deployed securely as defined inKubernetes Hardening Guidance past to NSA and CISA.
    Tests are configured with YAML files, making this tool piece of cake to update equally test specifications evolve.

    • infoq.com: Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan
  • infoq.com NSA and CISA Publish Kubernetes Hardening Guidance
  • csoonline.com: Kubernetes hardening: Drilling downwards on the NSA/CISA guidance The new guidance gives a solid foundation for hardening Kubernetes container environments.These are its key components and why they are important.
  • armosec.io: Kubescape – Every bit โ€œleftโ€ as it can go โ€“ find Kubernetes security issues while coding, non after
  • theregister.com: Hardening Kubernetes the NSA way. NSA spies ample opportunities to harden Kubernetes
  • thenewstack.io: NSA on How to Harden Kubernetes

CIS Benchmarks and CIS Operator

  • ibm.com: CIS Benchmarks Adult by a global community of cybersecurity professionals, CIS Benchmarks are a collection of all-time practices for securely configuring It systems, software, networks, and cloud infrastructure.
  • aymen-abdelwahed.medium.com: K8s Operators โ€” CIS Kubernetes Benchmarks How can I run my workloads securely on top of Kubernetes? In this postal service, weโ€™ll exist taking a await at the CIS-Criterion, breaking the concept down to elementary terms, and in the end, deploying the CIS-Operator using Helm charts and custom values
    • rancher/cis-operator This is an operator that can run on a given Kubernetes cluster and provide ability to run security scans as per the CIS benchmarks, on the cluster.
Popular:   Elden Rings Map Has Been Secretly Changing Without Anyone Noticing

Service Accounts

  • Service business relationship is an important concept in terms of Kubernetes security. Yous tin can relate it to AWS case roles and google cloud instance service account if you take a cloud background. By default, every pod gets assigned a default service account if you donโ€™t specify a custom service account. Service account allows pods to make calls to the API server to manage the cluster resources using ClusterRoles or resources scoped to a namespace using Roles. Also, yous can use the Service account token from external applications to make API calls to the kubernetes API server.
    • devopscube.com: How To Create Kubernetes Service Account For API Access
    • devopscube.com: How to Create kubernetes Function for Service Account
    • github.com/scriptcamp/kubernetes-serviceaccount-instance Case Kubernetes manifests to create service account mapped to Rolebinding.
  • medium: Working with Service Business relationship In Kubernetes ๐ŸŒŸ How to configure a service account in Kubernetes and manage information technology?
  • github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts ๐ŸŒŸ Service accounts are well known in Kubernetes to access the Kubernets API from within the cluster. This is oft used for infrastructure components like operators and controllers. But nosotros tin also use service accounts to implement authentication in our own applications. This README tries to give an overview on how service accounts piece of work and and shows a couple of variants how you can use them for authentication. Farther this repository contains an example Go service which shows how to implement the authentication in an awarding.
  • sandeepbaldawa.medium.com: Service Accounts in K8s (Kubernetes)
  • mjarosie.github.io: IAM roles for Kubernetes service accounts – deep dive
  • linkerd.io: Using Kubernetesโ€™due south new Spring Service Account Tokens for secure workload identity

Kubernetes Secrets

  • cncf.io: Revealing the secrets of Kubernetes secrets ๐ŸŒŸ In this article you lot will learn how to protect Secrets in your Kubernetes cluster
  • Easily on your first Kubernetes secrets ๐ŸŒŸ
  • dev.to: Store your Kubernetes Secrets in Git thanks to Kubeseal. Hello SealedSecret! ๐ŸŒŸ
  • weblog.doit-intl.com: Kubernetes and Secrets Management in the Cloud
  • itnext.io: Effective Secrets with Vault and Kubernetes
  • kubernetes.io: Encrypting Secret Data at Residue ๐ŸŒŸ
  • โ€œKubernetes base64 encodes secrets because that makes arbitrary data play dainty with JSON. Information technology had nothing to do with the security model (or lack thereof). It did not occur to us at the time that people could error base64 for some form of encryptionโ€
    • โ€œIโ€™ve always wondered how folks expect a organisation would exist able to protect data at remainder like that. If the public cardinal and private fundamental are local on the machine – zilch is secure no thing what algorithm is usedโ€
    • โ€œThe effect is not new or unique to k8s. There is a general confusion between encoding and encryption. Ask any spider web dev about base64, and there is a skilful chance theyโ€™ll tell you itโ€™s encryptionโ€
    • โ€œThe test is clearly wrong if that is the discussion used, literally everything is encoded somehow. If they meant encrypted instead, and then itโ€™s half true, secrets are encrypted in transit but just at rest if a KMS plugin is usedโ€
    • โ€œThe semantics are important. Like shooting fish in a barrel to grant an RBAC policy similar โ€œread just except secretsโ€
    • โ€œI merely meant that base64 prevents yous from logging a hugger-mugger in plain text by accidentโ€ฆ simply many more than layers are required to proceed your secrets secretโ€
    • โ€œYou need to configure how the key is managed and ideally opt into something similar KMS plugin (which depends on how the cluster is hosted) to make information technology goodโ€
  • redhat.com: Managing secrets for Kubernetes pods
  • enterprisersproject.com: How to explain Kubernetes Secrets in plain English language ๐ŸŒŸ What is a Kubernetes secret? How does this blazon of Kubernetes object increase security? How do yous create a Kubernetes secret? What are some best practices? Experts intermission it down
  • millionvisit.blogspot.com: Kubernetes for Developers #19: Manage app credentials using Kubernetes Secrets ๐ŸŒŸ
  • kubermatic.com: Keeping the State of Apps Part 2: Introduction to Secrets
  • medium: Kubernetes Secrets Explained
  • medium: Managing your sensitive information during GitOps process with Hole-and-corner Sealed
  • enlear.university: Sealed Secrets with Kubernetes
    Usage of the sealed undercover to encrypt Kubernetes secrets.
  • medium.com/codex: Sealed Secrets for Kubernetes How to encrypt Kubernetes Hole-and-corner component and store information technology on the Git. And decrypt it using Kubernetes controller.

Encrypting the document for Kubernetes. SSL certificates with Letโ€™s Encrypt in Kubernetes Ingress via cert-manager

  • Kubernetes Certs
  • Using SSL certificates from Letโ€™due south Encrypt in your Kubernetes Ingress via cert-manager ๐ŸŒŸ
  • medium: Encrypting the certificate for Kubernetes (Permitโ€™s Encrypt) ๐ŸŒŸ
  • rejupillai.com: Permitโ€™s Encrypt the Web (for free)
  • betterprogramming.pub: Kubernetes and SSL Certificate Management ๐ŸŒŸ Manage SSL certificate orders in K8s with Helm and Letโ€™s Encrypt.
  • getbetterdevops.io: How to Secure K8S Nginx Ingress With Permitโ€™s Encrypt and Cert Manager Automate the provisioning of Letโ€™due south Encrypt certificates for ingress resources
  • faun.pub: Automate Document Direction In Kubernetes Using Cert-Manager
  • cert-manager/cert-managing director
    Automatically provision and manage TLS certificates in Kubernetes
  • github.com/cert-managing director: Policy Approver Policy Approver is a cert-manager approver that is responsible for Approval or Denying CertificateRequests.
  • jetstack.io: Getting started using cert-manager with the sig-network Gateway API
  • medium.com/@knoldus: Configure SSL certificate with cert-managing director on Kubernetes

RBAC and Admission Control

  • Configure RBAC in Kubernetes Like a Boss ๐ŸŒŸ Learn how to configure RBAC in kubernetes. In this post, you will configure RBAC both with kubectl and yaml definitions.
  • infracloud.io: How to setup Role based admission (RBAC) to Kubernetes Cluster ๐ŸŒŸ
  • Kubernetes RBAC Permission Manager ๐ŸŒŸ
  • Krane ๐ŸŒŸ is a Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC pattern and makes suggestions on how to mitigate them. Krane dashboard presents electric current RBAC security posture and lets you navigate through its definition.
  • rbac.dev ๐ŸŒŸ๐ŸŒŸ๐ŸŒŸ advocacy site for Kubernetes RBAC. A site dedicated to expert practices and tooling around Kubernetes RBAC. Both pull requests and bug are welcome.
    • For recipes, tips and tricks around RBAC run into recipes.rbac.dev ๐ŸŒŸ
  • github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model This is a implementation of a RBAC model for a multi projection multi tenant Kubernetes cluster.
  • loft.sh: Kubernetes RBAC: Basics and Advanced Patterns
  • marcusnoble.co.u.k.: Restricting cluster-admin Permissions
    More often than not, operators of the cluster are assigned to the cluster-admin ClusterRole. This gives the user access and permission to practise all operations on all resources in the cluster. But what if you lot need to block an action performed by cluster admins?
  • medium.com/devops-mojo: Kubernetes โ€” Part-Based Access Command (RBAC) Overview RBAC with Kubernetes โ€” Role, ClusterRole, RoleBinding, and ClusterRoleBinding.
  • loft-sh.medium.com: x Essentials for Kubernetes Access Control
  • sumanthkumarc.medium.com: Kubernetes RBAC โ€” Update default ClusterRoles without editing them
  • faun.pub: Assign permissions to an user in Kubernetes. An overview of RBAC-based AuthZ in k8s ๐ŸŒŸ
  • anaisurl.com: RBAC Explained with Examples ๐ŸŒŸ Kubernetes RBAC tutorial with two examples, using ServiceAccounts and openssl to create carve up contexts for users
  • medium.com/@badawekoo: Using RBAC in Kubernetes for authorization-Complete Demo-Part one
  • thenewstack.io: Securing Access to Kubernetes Environments with Zero Trust
  • learnk8s.io: Limiting access to Kubernetes resource with RBAC
    What happens when y’all combine a Kubernetes RoleBinding to a ClusterRole? Are you fifty-fifty allowed? In this commodity, Yanan Zhao explores the K8s RBAC potency model by rebuilding information technology from scratch.
  • medium.com/@15daniel10: YOYO set on on a K8S cluster
    In addition to the performance degradation for the attacked service, the underlying idea behind the assail is to exploit the autoscaling mechanism in order to make the victim deploy excessive resources and pay for them while having equally little toll footprint for the attacker as possible. In other words, the aggressor harnesses the power of the cloud against the organisation that uses it.
Popular:   Ps Plus Classic Games Sound Much Better Than We Thought

Kubernetes and LDAP

  • loft.sh: Kubernetes and LDAP: Enterprise Authentication for Kubernetes

Admission Command

  • blog.styra.com: Why RBAC is not enough for kubernetes security ๐ŸŒŸ๐ŸŒŸ
  • medium: Single Sign-On in Kubernetes ๐ŸŒŸ
  • trstringer.com: Create a Basic Kubernetes Validating Webhook
  • box/kube-exec-controller An access controller service and kubectl plugin to handle container drift in K8s clusters

Kubernetes Security Best Practices

  • Kubernetes Security 101: Risks and 29 Best Practices ๐ŸŒŸ Security Best Practices Across Build, Deploy, and Runtime Phases.
  • Build Phase:
    1. Use minimal base of operations images
    2. Donโ€™t add unnecessary components
    3. Use up-to-date images only
    4. Use an prototype scanner to identify known vulnerabilities
    5. Integrate security into your CI/CD pipeline
    6. Label non-fixable vulnerabilities
  • Deploy Phase:
    1. Use namespaces to isolate sensitive workloads
    2. Use Kubernetes network policies to control traffic between pods and clusters
    3. Forbid overly permissive access to secrets
    4. Assess the privileges used by containers
    5. Assess image provenance, including registries
    6. Extend your image scanning to deploy phase
    7. Utilize labels and annotations appropriately
    8. Enable Kubernetes role-based access control (RBAC)
  • Runtime Phase:
    1. Leverage contextual information in Kubernetes
    2. Extend vulnerability scanning to running deployments
    3. Use Kubernetes built-in controls when available to tighten security
    4. Monitor network traffic to limit unnecessary or insecure communication
    5. Leverage process whitelisting
    6. Compare and analyze unlike runtime activity in pods of the same deployments
    7. If breached, scale suspicious pods to cypher
  • thenewstack.io: 6 Kubernetes Security Best Practices ๐ŸŒŸ
  • kodekloud.com: Kubernetes Security All-time Practices
  • armosec.io: Kubernetes Security Best Practices: Definitive Guide
  • semaphoreci.com: Secure Your Kubernetes Deployments In this tutorial, we present three tools to validate and secure your Kubernetes deployments:
    • Kubeval
    • Kubeconform
    • Kubescore

kubernetes security controls landscape

  • kubernetes.io: Authenticating
  • kubernetes.io: Access Clusters Using the Kubernetes API
  • kubernetes.io: Accesing Clusters
  • magalix.com: kubernetes authentication ๐ŸŒŸ
  • magalix.com: kubernetes say-so ๐ŸŒŸ
  • kubernetes login
  • learnk8s.io: Authentication between microservices using Kubernetes identities ๐ŸŒŸ
  • gravitational.com: How to Fix Kubernetes SSO with SAML

Kubernetes Hallmark Methods

Kubernetes supports several authentication methods out-of-the-box, such as 10.509 client certificates, static HTTP bearer tokens, and OpenID Connect.

X.509 client certificates

  • Kubernetes Authentication and Authorization with X509 client certificates

Static HTTP Bearer Tokens

  • kubernetes.io: Access Clusters Using the Kubernetes API
  • stackoverflow: Accessing the Kubernetes REST end points using bearer token

OpenID Connect

  • OpenID Connect

Implementing a custom Kubernetes authentication method

  • Implementing a custom Kubernetes authentication method

Pod Security Policies (SCCs – Security Context Constraints in OpenShift)

  • Pod Security Policy (SCC in OpenShift) ๐ŸŒŸ
  • rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1
    • rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 2
  • programmer.squareup.com: Kubernetes Pod Security Policies (PSP) an example with exception management
  • itnext.io: Implementing a Secure-Offset Pod Security Policy Architecture
  • Neon Mirrors: Kubernetes Policy Comparing: OPA/Gatekeeper vs Kyverno

Security Profiles Operator

  • The Security Profiles Operator (SPO) is an out-of-tree Kubernetes enhancement to brand the management of seccomp, SELinux and AppArmor profiles easier and more convenient.
  • kubernetes-sigs/security-profiles-operator
  • kubernetes.io: Whatโ€™s new in Security Profiles Operator v0.4.0

EKS Security

  • Security Group Rules EKS
  • EC2 ENI and IP Limit
  • Calico in EKS
  • Amazon EKS Best Practices Guide for Security

    • EKS Best Practices Guide for Security ๐ŸŒŸ
  • medium.com: Securing Kubernetes Dashboard on EKS with Pomerium


  • hackerone.com: Authenticated kubernetes main with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces
  • blog.lightspin.io: NGINX Custom Snippets CVE-2021-25742


Click to expand!


Click to expand!

Kubernetes Security Report Finds People Have No Idea How To Use Kubernetes

Source: https://nubenetes.com/kubernetes-security/