freach/kubernetes-security-best-practice

[ideas] Security notes compiled from various sources (links included)

Opened this issue · 0 comments

nazarewk commented

Here we go with my loose notes about Kubernetes security, there is some overlap with existing document.

Overview

  • RBAC enabled,
  • default-deny-ingress NetworkPolicy,
  • default-deny-egress NetworkPolicy,
  • Helm security

Online resources

Checklists for online resources on security.

Security problems of Kops default deployments

  1. No RBAC by default
  • installed rbac
  1. Kubelet does not enforce authorization
  • egress blocked through NetworkPolicy,
  • #3891,
  1. AWS Metadata API is reachable
  • kube2iam installed

Improving the Default Security Posture Through Defense in Depth

Post-Container Compromise Issues

  1. Default Namespace Tokens Have Full Privileges
  • RBAC enabled
  1. Unprotected Kubernetes Dashboard and Other kube-system Add-ons
  • limited kubernetes-dashboard privileges
  • internal access blocked using default-deny
  1. Kubelet Does Not Enforce Authorization (aka Kubelet-Exploit)
    • default-deny-egress NetworkPolicy
    • --anonymous-auth=false
    • default-deny-ingress NetworkPolicy
    • --authorization-mode=Webhook
  2. Unprotected Etcd/Calico-Etcd Endpoints
  • TLS enabled through kops spec.etcdClusters[*].enableEtcdTLS
  1. Direct Access to Cloud Instance Metadata APIs
  • kube2iam,
  • NetworkPolicy is not blocking access to cluster-external address,
  1. Permissive Metadata IAM Role Policies (AWS)

Additional considerations

  1. PodSecurityPolicy
  • not addressed
  1. NetworkPolicy
  • default-deny-ingress NetworkPolicy
  • default-deny-egress NetworkPolicy
  1. Admission Controllers
  • not addressed

7. Exposed /metrics APIs Allow for Pod/Svc Enumeration

Prevented using default-deny-ingress.

Securing a Cluster

  • Controlling access to the Kubernetes API
    • Use Transport Level Security (TLS) for all API traffic
      • kops
    • API Authentication (above ServiceAccount)
    • API Authorization
      • Node + RBAC
  • Controlling access to the Kubelet
    • egress blocked,
    • anonymous access blocked,
    • authentication configured
    • authorization configured
  • Controlling the capabilities of a workload or user at runtime
    • Limiting resource usage on a cluster
    • Controlling what privileges containers run with
      • PodSecurityPolicy
      • non-root users in applications
    • Restricting network access
      • default-deny-ingress NetworkPolicy
      • default-deny-egress NetworkPolicy
    • Restricting cloud metadata API access
      • kube2iam
    • Controlling which nodes pods may access
  • Protecting cluster components from compromise
    • Restrict access to etcd
    • Enable audit logging
    • Restrict access to alpha or beta features
    • Rotate infrastructure credentials frequently
    • Review third party integrations before enabling them
    • Encrypt secrets at rest
    • Receiving alerts for security updates and reporting vulnerabilities

Additional tasks

  • lock-down kube-system namespace with NetworkPolicies
  • encrypted by default StorageClass