The One-Stop Kubernetes Security Checklist

4 min read

Securing your Kubernetes environments may seem daunting at first, given how many different parts must be individually protected. Still, with the proper organization, you can make Kubernetes security much simpler and more effective. We’ve put together a complete Kubernetes security checklist of best practices and security recommendations to help you keep track of your progress.

To make this a little easier, we’ve divided this checklist into the following sections:

  • Clusters
  • Pods
  • Containers

Kubernetes Cluster Security Checklist

According to the 2022 State of Kubernetes security report, 93% of developers experienced at least one Kubernetes security incident in the previous year. These findings reinforce the importance of following the latest Kubernetes security best practices.

Start with basic high-level security measures that protect your entire environment. These measures are often overlooked because they seem quite simple, but they can cause a significant impact.

Here are some high-level security measures that you should consider when deploying your Kubernetes clusters.

Is Your Kubernetes Updated?

Running the latest version of Kubernetes is one of the most straightforward steps to make your system secure. Every update of Kubernetes comes with new security patches and enhancements. These patches ensure you are secured against many emerging or older threats. You can see what type of patches you get with each update in the changelog.

Do Firewalls Protect Your Network?

Regardless of how advanced your Kubernetes environment is, you still have to protect it against standard external attacks. To set up these protections, make sure you have solid firewalls and perimeter security. Applications that require a connection to the internet are vulnerable to attack if no firewalls or traffic control policies are set up.

Are You Following CIS Benchmarks?

CIS Benchmarks are a list of baseline security policies that you should use regardless of what kind of Kubernetes system you are running. You can read the complete list on the CIS website

Although it is possible to go through the entire list and implement every benchmark, it may be more effective to use a CIS benchmark policy pack to automate this entire process. Styra offers a number of policy packs that you can use to automate your Kubernetes security and minimize human error.

Have You Secured etcd?

The etcd is a storage system where most of your cluster objects are saved, so it is an integral part of your Kubernetes control plane. In order to secure it, you have to enable encryption in transit and encryption at rest. If attackers gain control of the etcd, they can access the entire cluster and read all of your secrets (text files with sensitive information). Encryption at rest is what prevents these breaches from happening.

Have You Reduced the Potential Attack Surface?

Hardening your system involves reducing the number of applications with internet access. This measure decreases the number of vulnerable areas in your system, thus minimizing attack surface. 

Do You Have Strict API Access Control?

Ensure that your API is not visible to the public because malicious actors and bots often scout the internet for vulnerable API servers. Even Tesla fell victim to this type of attack. To avoid a similar incident, only people using the office’s IP address or corporate VPN should access the API server. 

Is Your Kubernetes Dashboard Insecure?

Kubernetes dashboards are not connected to the internet by default. They can only be accessed within their own cluster. However, you should confirm this configuration. Authorization is still required so that only approved users have access to it. 

Kubernetes Pod Security Checklist

A pod is a set of multiple interconnected containers that are used to run various applications. Pod security measures are a little more specific and will be applied to different pods differently. You might use various pod security policies to ensure your Kubernetes environment remains secure. Here are some of them: 

Have You Implemented Strict Authorization Policies?

Authorization lies at the heart of Kubernetes pod security. By ensuring that only those who need access to a pod have access, you can prevent a wide array of attacks. There are different ways to ensure strict access controls, such as manually setting up Role-Based Access Control (RBAC) or having it set up and automatically enforced by an Open Policy Agent (OPA) instance through Styra DAS

Is Your Pod Communication Streamlined and Secure?

Communication between pods as well as pods and containers may be necessary for the proper functioning of an application, but it should be limited wherever possible. The risk is that one infected pod can compromise the entire system. 

Are Pod Security Contexts Set Up?

Pod security contexts are policies that can be applied to individual pods and grant developers a large amount of flexibility. You can use pod security contexts to determine what kind of privilege level a pod is running at. Be sure to only assign privileges where necessary so that a compromised pod does not leave the entire system vulnerable. 

Kubernetes Container Security Checklist

Containers and images are a fundamental part of every Kubernetes system. According to a 2021 study, 42% of Kubernetes developers run over 250 containers in their Kubernetes environment. Every pod in your system comprises one or multiple containers, so securing the entire system heavily involves securing every individual container. 

In order to improve container security, you should ask:

Are You Monitoring Container Behavior?

Monitoring your containers during run time is integral to maintaining security. You can take every precautionary measure, but security issues can still pop up, so you must be prepared to act quickly and spot any unusual behavior.

Active runtime monitoring is a great way to ensure everything works correctly. It also enables you to react promptly to new threats, such as DDoS attacks.

Have You Scanned All Your Images for Vulnerabilities? 

Before deploying your images, it is essential to scan them all at least once to avoid unexpected vulnerabilities or threats. Make sure to only use images from certified registries or scan images you have taken from third-party registries.

Are Your Images in Read Only Mode?

You should always keep your containers/images in read-only, a policy you can configure with OPA, so that even if malicious actors gain access to one of them, they cannot make changes that would jeopardize the entire system.

Have You Validated Your Container Security Policies?

Once you have set up your security policies and contexts, validate them before deployment. According to a 2022 study, human error leads to 95% of all cybersecurity issues, so you should always double-check your work.

Automate Your Kubernetes Security Policies

A great way to ensure you are doing everything you can for Kubernetes security is to use software like Styra DAS to automate your security policies and authorization checks. Our approach allows you to validate your policies before deployment, making it easier to write policies and apply them consistently across the system.

If you’re unsure about automating your Kubernetes security, book a demo with us.

FAQs

How can I spot abnormal container behavior?

The best way to spot abnormal container behavior is to closely monitor a container during its regular operation and pay close attention to what processes and resources it uses. Once you whitelist these processes, you should be able to flag anytime the container deviates from these conditions.

What’s the difference between a pod security policy and a pod security context?

Pod security policy creates policies at a cluster level, whereas security context can be applied at the individual pod level, allowing for more customization.

What should I do with a compromised container?

Once a container has been compromised, you have no choice but to take it down and recreate it (ideally patching the vulnerability that caused the compromise). If the container is not properly isolated, you may have to take down other connected containers, too.


Read More from Styra Blog:

Kubernetes Compliance

Microservices Authorization

What is Kubernetes Security

Coarse Grained vs Fine Grained Access Control

Cloud native
Authorization

Entitlement Explosion Repair

Join Styra and PACLabs on April 11 for a webinar exploring how organizations are using Policy as Code for smarter Access Control.

Speak with an Engineer

Request time with our team to talk about how you can modernize your access management.