Kubernetes security has always been a source of great interest among system architects. You still have to compromise between administrative control and developer flexibility and velocity to ensure you don’t leave any holes in our cluster.
There are various areas you need to consider to enable security within your cluster. Typically, cyber-criminals look at ways of taking control of the host worker node by hacking into a Kubernetes application. They can then use that opportunity to shut down your cluster or exploit it for illegal activities.
One way of preventing such control is by enforcing proper pod security policies within your Cluster, without impacting development velocity and adding admin overhead.
Kubernetes pod security policies are cluster-level resources that you can create to control security aspects of your containers running on Kubernetes. With pod security policies, you can prevent people from running privileged containers, not allowing host networking and ports, disallowing host path volumes, not allowing containers to run as the root user, and much more.
Here are some of the recommended best practices to ensure cluster security using pod security policies:
privileged
flag to false
. Even in that situation, best practice is to use a dedicated service account for that Pod and deploy a specific namespace.readOnlyRootFilesystem
to true
.allowPrivilegeEscalation
flag to false
.MustRunAsNonRoot
flag to true
on your Pod Security policy.**hostPath**
volumes— Seriously don’t allow hostPath
s. They are not only bad for your volume management, and ties your containers to particular nodes, but also will enable a way for cybercriminals to access your host file system. Even if you really have to use them, the best practice is to only allow hostPath
s for a specific directory, so people are tied to particular directories only. Something like this:allowedHostPaths:
# This allows "/foo", "/foo/", "/foo/bar" etc., but
# disallows "/fool", "/etc/foo" etc.
# "/foo/../" is never valid.
- pathPrefix: "/foo"
readOnly: true # only allow read-only mounts
There are other controls you may want to enforce — you should look at restricting them as much as possible unless you need them for some reason.
#kubernetes #devops #cybersecurity