In this article, we'll look at the best practices for securing your workloads on Kubernetes.
- Always create minimal images for your application: Remove packages and dependencies you don’t need in your software package to reduce the size. Most containerized images use Debian or Ubuntu as the base image. These images, in the long run, can add extra memory to your container. Using smaller images is the best way to reduce your container size. For example, going from the default
node:7 imageto the
node:8-alpineimage reduces your base image size by ten times. To build with the new image, update your Dockerfile to start with a new base image.
- If your stack doesn’t have an option for a small base image, you can build your application container using the raw
2. Implement multi-stage builds to reduce size: Using multi-stage builds, you can create a lightweight container just with the executables.
3. Run a scan for vulnerabilities: You can use different scanning tools like TwistLock to check for vulnerabilities. These tools will let you check if your container is secured, give you the list of all vulnerable packages in your application, and immediately prompt you to remove the vulnerabilities.
4. Use hardened AMIs: When you run your worker plane on a virtual machine such as Amazon EC2, you need an application machine image for that EC2. Also, your container image runs on the worker node. With hardened AMIs, you can reduce unnecessary packages on the attack surface. This will provide you with the appropriate information to safeguard and launch your instance. Hardened AMIs offer you secure and scalable environments for your nodes.
5. Run the latest Kubernetes versions: As Kubernetes moves to newer versions, it adds more security patches and updates for your resources. Always confirm you're using the latest version of Kubernetes, as this will ensure your applications are running the latest patch and updates.
6. Run Kube-bench for CIS benchmark periodically: The Center for Internet Security (CIS) releases benchmarks you should follow for building and configuring your resources on Kubernetes. Kube-bench is an open-source tool you can install on your cluster that will run as a daemon set and check if your application pods are in a good state. CIS benchmark has a list of vulnerabilities for your AMIs based on the operating system. As new vulnerabilities come in, this benchmark will be updated.
7. Use Namespaces to divide your cluster: Namespaces help separate different applications into their specific groups in multi-tenancy. With Namespaces, you can also have an individual resource quota for each Namespace. Resource quotas specify how much maximum CPU and memory your Namespace can allocate so that if an attack happens to your Kubernetes resources, it will not exhaust the CPU and memory of the entire cluster. Only the specific Namespace will be impacted, and other namespaces can work normally.
8. Use Network Policies to control pod traffic: Network policy works in OSI layers 3 and 4, which means it can handle traffic by the IP address of the pod or the pod's port. It can also control traffic using labels of the pods and a Namespace. Using network policy and Namespace, you can segregate traffic for each Namespace.
9. Implement RBAC (Role-Based Access Control) for Users and Permissions: RBAC is an important key security mechanism to ensure that your clusters, resources, and users have only specific access to tasks and resources required to perform their roles. With Role based access control, you can have separate roles for your developers, testers, system architects, and admins. This will help with the principle of least privilege, where you only give developers access to the specific data, resources, and tools needed to complete the required task.