Everyone’s talking about Kubernetes these days because of the role it plays in deploying highly scalable and dynamic application environments.
Unfortunately, what people are not talking about as much is Kubernetes security. While there are a few Kubernetes security resources out there (such as some basic security tips in the Kubernetes documentation), they’re few and far between.
In this post, I’d like to offer some additional Kubernetes security best practices. They reflect my real-world experience using Kubernetes in production, and include consideration of securing both Kubernetes itself and an application that is deployed using Kubernetes.
Kubernetes Security: Host
The foundation of any good security profile is a secure operating system running on the host. The best practice is to use a proven operating system and stay current on its patches, and apply recommended security hardening through the use of tools like OpenSCAP, or follow the checklists manually which are produced by organizations like NIST. Ideally, the operating system that underpins the running containers is optimized for a container environment by stripping out all non-essential elements. A great example is RancherOS. It was designed from the ground up to run containers and nothing else.
In reality, for most enterprises to follow best practices around the host, they are implementing their Kubernetes environments on top of full-featured, general-purpose operating systems like Microsoft Windows DataCenter and Red Hat Enterprise Linux, as they have existing procedures and tools to both patch and monitor the operating systems.
Kubernetes Security: Network
One of the main reasons that Kubernetes was such an innovative product was how it handled the network layer. As opposed to using NAT on each host like the first-generation Docker containers, Kubernetes exposed a unique address IP to (Read more…)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-security-best-practices