Kubernetes Security: from Image Hygiene to Network Policies

• Building container images
• Running containers
• Authentication and authorization
• Communication
• Apps
• Securing the control plane
• References

Building container images

Tooling:

• https://docs.docker.com/docker-cloud/builds/image-scan/
• https://github.com/coreos/clair
• https://www.open-scap.org/tools/
• https://www.aquasec.com/use-cases/continuous-image-assurance/
• https://neuvector.com/container-compliance-auditing-solutions/
• https://github.com/theupdateframework/notary
• https://github.com/in-toto

Further reading:

• Establishing Image Provenance and Security in Kubernetes
• Image Management & Mutability in Docker and Kubernetes
• Container security considerations in a Kubernetes deployment
• Building Container Images Securely on Kubernetes
• The OpenShift Build Process
• Introducing Grafeas: An open-source API to audit and govern your software supply chain

Running containers

Tooling:

• https://github.com/aquasecurity/kube-bench
• https://github.com/docker/docker-bench-security
• https://sysdig.com/opensource/falco/
• https://kubesec.io/
• https://www.twistlock.com/

Further reading:

• Just say no to root (in containers)
• Exploring Container Mechanisms Through the Story of a Syscall (slides | video)
• Improving your Kubernetes Workload Security Container Isolation at Scale (Introducing gVisor) (slides | video)

Authentication and authorization

Tooling:

• https://github.com/coreos/dex
• https://github.com/liggitt/audit2rbac
• https://github.com/heptio/authenticator

Further reading:

• Docs: Authentication, Authorization, Controlling Access to the Kubernetes API
• Kubernetes deep dive: API Server – part 1
• Certifik8s: All You Need to Know About Certificates in Kubernetes
• Kubernetes Auth and Access Control
• Effective RBAC
• Single Sign-On for Kubernetes: An Introduction
• Let's Encrypt, OAuth 2, and Kubernetes Ingress

Communication

Tooling:

• https://github.com/aporeto-inc/trireme-kubernetes
• https://github.com/jetstack/cert-manager/
• https://spiffe.io/
• https://www.openpolicyagent.org/

Further reading:

• Docs: Network policies
• How Kubernetes certificate authorities work
• Securing Kubernetes Cluster Networking
• Tutorials and Recipes for Kubernetes Network Policies feature
• Kubernetes Security Context and Kubernetes Network Policy
• Kubernetes Application Operator Basics

Apps

Tooling:

• https://github.com/kelseyhightower/konfd
• https://github.com/hashicorp/vault-plugin-auth-kubernetes
• https://github.com/bitnami-labs/sealed-secrets
• https://github.com/shyiko/kubesec
• https://github.com/weaveworks/flux

Further reading:

• Docs: Secrets, Configure a Security Context for a Pod or Container, Pod Security Policies
• Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes
• Exploring container security: Isolation at different layers of the Kubernetes stack
• Security Best Practices for Kubernetes Deployment
• NIST Special Publication 800-190: Application Container Security Guide
• Kubernetes Security Best Practices
• Continuous Kubernetes Security

Securing the control plane

Tooling:

• https://github.com/bgeesaman/kubeatf
• https://github.com/Shopify/kubeaudit
• https://k8guard.github.io/

Further reading:

• Docs: Securing a Cluster, Encrypting Secret Data at Rest, Auditing
• Securing Kubernetes components: kubelet, etcd and Docker registry
• K8s security best practices
• Kubernetes Security - Best Practice Guide
• Lessons from the Cryptojacking Attack at Tesla
• Hacking and Hardening Kubernetes Clusters by Example
• What Does “Production Ready” Really Mean for a Kubernetes Cluster
• A Hacker's Guide to Kubernetes and the Cloud
• Kubernetes Container Clustering, Catastrophe
• Hardening Kubernetes from Scratch

References

Kubernetes resources related to security (v1.10):

• Namespace
• Secret
• ResourceQuota
• ServiceAccount
• Role / ClusterRole
• RoleBinding / ClusterRoleBinding
• PodSecurityPolicy
• NetworkPolicy

Useful kubectl commands:

• kubectl create secret
• kubectl create serviceaccount
• kubectl create role
• kubectl create rolebinding
• kubectl auth can-i