Ultimate Guide To Kubernetes Security
Ultimate Guide To Kubernetes Security
Ultimate Guide To Kubernetes Security
The Ultimate
Guide to
Kubernetes Security
The Ultimate Guide to
Kubernetes Security
How to Secure Your Kubernetes Pipeline
To make matters worse, new tools and technologies like Kubernetes and managed
container services in the public cloud will themselves be under attack as a gateway into
an enterprise’s prized assets. The recent Kubernetes man-in-the-middle vulnerability
and exploit at Tesla are just the first among many container technology-based potential
exploits expected to proliferate in coming months and years.
• Do you have a process in place to eliminate critical vulnerabilities (with fixes available)
early in the pipeline, even in the build phase?
• Do you have visibility of Kubernetes pods being deployed? For example, do you know
how application pods or clusters are communicating with each other?
• Do you have a way to detect bad behavior in east-west traffic between containers?
• Do you know how to determine if every individual pod is behaving normally?
• How are you alerted when internal service pods or containers start to scan ports inter-
nally or try to connect to the external network randomly?
• How would you know if an attacker gained a foothold into your containers, pods, or hosts?
• Are you able to see network connections and inspect them to the same degree as you
can for your non-containerized deployments? At Layer 7, for instance?
• Are you able to monitor what’s going on inside a pod or container to determine if there is
a potential exploit?
• Have you reviewed access rights to the Kubernetes cluster(s) to understand potential
insider attack vectors?
• Do you have a checklist for locking down Kubernetes services, access controls (RBACs),
and container hosts?
• When you have compliance policies, how do you enforce the compliance at run- time?
For example, to ensure encryption for your internal pod communication, how do you
know when a pod is not using the encryption channel?
• When troubleshooting application communication or recording forensic data, how do
you locate the problem pod and capture its logs? How do you capture raw traffic and
analyze it quickly before it disappears?
This guide will present an overview for securing Kubernetes and container deployments,
with a special focus on automating run-time security.
For those not familiar with Kubernetes, this is an introduction into the key concepts
and terms.
• Master node. The server which manages the Kubernetes worker node cluster and the
deployment of pods on nodes. Nodes can be physical or virtual machines.
• Worker node. Also known as slaves or minions, these servers typically run the application
containers and other Kubernetes components such as agents and proxies.
• Pods. The unit of deployment and addressability in Kubernetes. A pod has its own IP
address and can contain one or more containers (typically one).
• Services. A service functions as a proxy to its underlying pods and requests can be
load-balanced across replicated pods. A service can also provide an externally acces-
sible endpoint for access to one-or-more-pods by defining an external IP or NodePort.
Kubernetes also provides a DNS service, router, and load balancer.
Key components which are used to manage a Kubernetes cluster include the API Server,
Kubelet, and etcd. Kubernetes also supports a browser-based management console, the
Kubernetes Dashboard, which is optional. Any of these components are potential targets
for attack. For example, the Tesla hijack exploited an unprotected Kubernetes console to
install crypto mining software.
Kubernetes uses iptables to control the network connections between pods (and between
nodes), handling many of the networking and port forwarding rules. This way, clients do
not need to keep track of IP addresses to connect to Kubernetes services. Also, port map-
ping is greatly simplified (and mostly eliminated) since each pod has its own IP address
and its container can listen on its native port.
With all of this overlay networking being handled dynamically by Kubernetes, it is ex-
tremely difficult to monitor network traffic, much less secure it. Following is an example of
how Kubernetes networking works.
POD 1 POD 2
src: 192.168.20.21 192.168.20.21 192.168.56.193 src: 192.168.20.21
dst: 192.168.56.193 dst: 192.168.56.193
calib10557e951d calib0d7763386da
The above diagram shows how a packet traverses between pods on different nodes. In
this example, the Calico CNI network plug-in is used. Every network plug-in has a different
approach for how a pod IP address is assigned (IPAM), how iptables rules and cross-node
networking are configured, and how routing information is exchanged between the nodes.
With the routing, possible NAT, and encapsulation occurring and being managed by the
network plug-in, it is extremely difficult to inspect and monitor network traffic for attacks
and connection violations.
4
east - west
2
5
6 Host
Worker nodes
Detecting events in a kill chain requires multiple layers of security monitoring, because
different resources are used. The most critical vectors to monitor to have the best chances
of detection in a production environment include:
Command
Weaponization Exploitation & control
• Network inspection. Attackers typically enter through a network connection and expand
the attack via the network. The network offers the first opportunity to an attack, subse-
quent opportunities to detect lateral movement, and the last opportunity to catch data
stealing activity.
• Container. An application or system exploit can be detected by monitoring the process and
syscall activity in each container to determine if a suspicious process has started or at-
tempts are made to escalate privileges and break out of the container. File integrity moni-
toring and access restrictions can also detect attempts to modify files, packages or libraries.
• Host monitoring. This is where traditional host (endpoint) security can be useful to
detect exploits against the kernel or system resources. However, host security tools must
also be Kubernetes and container-aware to ensure adequate coverage. For example,
new hosts can dynamically enter a Kubernetes cluster, and they must maintain the
security settings and tools which Kubernetes manages.
When the API Server token is stolen/hacked, or an identity is stolen to enable access to the
database by impersonating an authorized user, malicious containers can be deployed or
critical applications can be stopped.
By attacking the orchestration tools themselves, hackers can disrupt running applications
and even gain control of the underlying resources used to run containers. In Kubernetes
there are several published privilege escalation mechanisms, via the Kubelet, access to
etcd or service tokens, which can enable an attacker to gain cluster admin privilege rights
from a compromised container.
In the build phase, code and image analysis is critical for removing known vulnerabilities
and compliance violations before images are approved for deployment.
In the ship phase, enabling appropriate access controls and restricting deployment of
images is critical to ensuring that vulnerabilities are not intentionally or accidentally
introduced later in the pipeline.
In the run phase, properly locking down hosts and orchestration tools in preparation is
good and required hygiene, but real-time monitoring of the container environment is criti-
cal to expose and mitigate new exploits.
Although security teams always wish for the “holy grail” of one tool to provide end-to-end
security, there are many layers and steps in the pipeline to secure, and no one tool can ac-
complish all of it. In general, platforms such as Red Hat OpenShift, Docker EE, Rancher, SUSE
CaaS and AWS EKS provide security tools and features that focus on the build, ship, and
pre-deployment phases, while independent security vendors can provide end-to-end tools
which include run- time security. The run-time security tools must specialize in detecting
and preventing sophisticated network and container-based exploits. There are also a few
open source container security projects which are summarized later in this guide.
Build Ship
Run
Preparation Production
Host and Kernel Security Secrets Management Network Inspection & Container Quarantine
Visualization
SElinux, AppArmor Encryption Layer 7-based Run-Time Vulnerability
Auditing, e.g. Docker Application Isolation Scanning
Secure Docker daemon
Bench
Threat Detection Process Monitoring
Access Controls Orchestration Security
& Networking Privilege Escalation Packet Capture &
Detection Event Logging
• How will scanning be enforced and triggered in the pipeline? Most tools such as Jenkins
have plug-ins or extensions which can trigger the scan. Other tools can invoke scripts to
trigger scans through APIs.
• What is the approved process for evaluating and remediating vulnerabilities? Who
should be notified and review them?
• What criteria should be used to require remediation? Is it based on critical (high CVSS
score threshold) severity?
• When should a build job be failed? When a fix is available for a critical vulnerability, but
not when no fix is available?
• Should there be a grace period and/or exception (exemption) for violations? What is the
process for applying for exceptions?
• Should vulnerabilities discovered later in the pipeline, for example in production regis-
tries or in running containers, trigger actions in the pipeline to remediate them?
In addition to building scanning into the CI/CD pipeline, other security measures
should include:
• Access controls for pipeline tools and registries to reduce the possibility of insider abuse.
• Admission controls to prevent deployment of vulnerable or unauthorized images, or
prevent them from moving further in the pipeline.
• Enforcement of other corporate software management policies such as license controls
for open source components and code-scanning tools.
Kubernetes hosts should be continually audited and scanned in staging and production
environments to ensure that security configurations are not inadvertently misconfigured
during updates and scaling events.
A container firewall is a new type of network security product which applies traditional
network security techniques to the new cloud-native Kubernetes environment. There are
different approaches to securing a container network with a firewall, including:
• Layer 3/4 filtering, based on IP addresses and ports. This approach includes Kubernetes
network policy to update rules in a dynamic manner, protecting deployments as they
change and scale. Simple network segmentation rules are not designed to provide the
robust monitoring, logging, and threat detection required for business-critical container
deployments, but can provide some protection against unauthorized connections.
• Web application firewall (WAF) attack detection can protect web-facing containers
(typically HTTP or HTTPS-based applications) using methods that detect common at-
tacks, similar to the functionality of web application firewalls. However, the protection is
limited to external attacks over HTTP and lacks the multi-protocol filtering often needed
for internal traffic.
Deep packet inspection (DPI) techniques are essential for in-depth network security
in a container firewall. Exploits typically use predictable attack vectors: malicious HTTP
requests with a malformed header, or inclusion of an executable shell command within
the extensible markup language (XML) object. Layer 7 DPI-based inspection can look for
and recognize these methods. Container firewalls using these techniques can determine
whether each pod connection should be allowed to go through, or if they are a possible
attack which should be blocked.
Given the dynamic nature of containers and the Kubernetes networking model, traditional
tools for network visibility, forensics, and analysis can’t be used. Simple tasks such as
packet captures for debugging applications or investigating security events are not
simple any more. New Kubernetes and container-aware tools are needed to perform
network security, inspection, and forensic tasks.
Container inspection
Cyber assaults frequently utilize privilege escalations and malicious processes to initiate an
attack or spread it. Exploits of vulnerabilities in the Linux kernel (such as Dirty Cow), packages,
libraries or applications themselves can result in suspicious activity within a container.
Inspecting container processes and file system activity and detecting suspicious behavior
is a critical element of container security. Suspicious processes such as port scanning
and reverse shells, or privilege escalations should all be detected. There should be a
combination of built-in detection as well as a baseline behavioral learning process which
can identify unusual processes based on previous activity.
As with containers, the host system needs to be monitored for these suspicious activities.
Because containers can run operating systems and applications like the host, monitoring
container processes and file systems activity requires the same security functions as
monitoring hosts. Together, the combination of network inspection, container inspection,
and host security offers the best way to detect a kill chain from multiple vectors.
To protect Kubernetes and management platforms from attacks, it’s critical to properly
configure the RBACs for system resources. Following are areas to review and configure for
proper access controls:
1. Protect the api server. Configure RBAC for the API Server or manually create firewall rules
to prevent unauthorized access.
2. Restrict kubelet permissions. Configure RBAC for Kubelets and manage certificate rota-
tion to secure the Kubelet.
3. Require authentication for all external ports. Review all ports externally accessible and
remove unnecessary ports. Require authentication for those external ports needed. For
non-authenticated services, restrict access to a whitelist source.
4. Limit or remove console access. Don’t allow console/proxy access unless properly
configured for user login with strong passwords or two-factor authentication.
When combined with robust host security as discussed previously for locking down worker
nodes, the Kubernetes deployment infrastructure can be protected from attacks. However,
it is also recommended to use monitoring tools to track access to infrastructure services
to detect unauthorized connection attempts and potential attacks.
For example, in the Tesla Kubernetes console exploit, once access to worker nodes was
compromised, hackers created an external connection to China to control crypto mining
software. Real-time, policy-based monitoring of the containers, hosts, network, and
system resources would have detected suspicious processes as well as unauthorized
external connections.
Fortunately, there already are a comprehensive set of security posture checks for
Kubernetes and Docker environments through the CIS Benchmarks for Kubernetes and the
Docker Bench tests. Regularly running these tests and confirming expected results should
be automated.
• Host security
• Kubernetes security
• Docker daemon security
• Container security
• Properly configured RBACs
• Securing data at rest and in transit
In addition, image scanning should include CIS Benchmarks tests which are relevant
for image security. Additional image compliance tests also can inspect images for
embedded secrets and file access (setuid/setgid) violations.
The SUSE NeuVector solution is a container itself which is deployed and updated with Kubernetes
or any orchestration system such as OpenShift, Rancher, Docker EE, IBM Cloud, SUSE CaaS, EKS, etc.
SUSE NeuVector then continuously scans images in approved registries for new
vulnerabilities. During image scanning in the build phase or in registries, not only is
a layered scan result presented, but additional compliance checks are run for CIS
Benchmarks, secrets detected, and file access permission violations.
A vulnerability and compliance explorer provides a powerful tool to analyze results, create
compliance reports (for PCI, HIPAA, GDPR, NIST, etc.), and report progress on vulnerability
remediation.
Image scanning results also can be tied to admission control policies to prevent
deployment of vulnerable or unauthorized images into the production environment.
In real time, the SUSE NeuVector container starts inspecting network traffic and monitoring
containers and hosts for suspicious activity. Following are a few examples of how
SUSE NeuVector provides protection against multiple attack vectors in a Kubernetes
deployment.
Running pods, their network connections and security policy to protect them are
automatically discovered and visualized. Each application stack is isolated through
whitelist rules which are automatically deployed.
Attacks against containers, whether they originate externally or internally, are detected
and can be blocked. The SUSE NeuVector Layer 7 firewall can run in a monitor (network
tap) mode or a protect (inline) mode where attacks or unauthorized connections can
be blocked while keeping the container active for valid traffic. Any security incidents are
summarized in the network activity console.
Unusual activity is detected in any container, with built-in detection for suspicious
processes such as port scanning and reverse shells. In addition, running processes in each
container are baselined to aid in the detection of unauthorized or malicious processes.
Host systems are monitored for exploits such as privilege escalations. Suspicious
processes detected in containers are also detected running on hosts. For example, if port
scanning or reverse shell processes start running, SUSE NeuVector will detect and alert. In
addition, SUSE NeuVector can learn and whitelist allowed processes to run on the host, and
block any unauthorized host processes which attempt to start.
SUSE NeuVector also monitors system containers and network activity for each container.
In the diagram below, the Kubernetes and OpenShift containers are shown with their
network connections.
Vulnerability scanning also can be performed by SUSE NeuVector in the build and ship
phases to inspect image registries or during the CI/CD automated pipeline. Jenkins
integration is provided to enable scanning during the image build process.
Security automation starts with creating secure infrastructures and platforms for
running containers, followed by automated run-time security. A secure infrastructure
with repeatable secure configurations can be ensured by using infrastructure as code
concepts and tools such as Terraform.
The good news is that most run-time security can be automated using a combination
of behavioral learning and Kubernetes integration with custom resource definitions
(CRDs) to implement security as code. There may always be some initial manual setup or
customization required, but when the production switch is turned on and Kubernetes starts
managing pods, your security should automate, adapt, and scale with the deployment.
New security tools such as SUSE NeuVector can provide multi-vector run-time security
by fitting into the Kubernetes deployment model. By combining a Kubernetes container
firewall with container inspection and host security, the activities in a kill chain for a
damaging attack can be detected and prevented. The modern cloud-native architecture
of SUSE NeuVector means it easily deploys as its own container, sitting next to your
application containers, providing always-on, always running security.
SUSE NeuVector can help achieve compliance with standards such as PCI, GDPR, SOC 2,
HIPAA, and NIST which require specific security practices and capabilities. These standards
specify security practices which can include:
• Network Segmentation and Firewalling. With the Layer 7 container firewall designed for
container and Kubernetes network filtering and protection, SUSE NeuVector is in a unique
position to fill this requirement.
• Vulnerability Scanning and Remediation. End-to-end vulnerability management
enables SUSE NeuVector to enforce vulnerability management policies from the build
phase all the way into production.
• Auditing Configuration Tests. Reviewing and enforcing proper configuration of systems
(hosts), orchestrators, and containers through compliance checks such as the Kuber-
netes CIS Benchmarks reduces the risk of misconfiguration leading to a breach.
• Restricted Access Controls. Evaluating and granting the least required user access
privileges limits the likelihood of RBAC-based exploits and insider attacks.
• Encryption and Sensitive Data Protection. SUSE NeuVector can ensure that connections
are encrypted for data in motion and can even use DLP technology to monitor for sensi-
tive data leaks such as social security numbers, credit cards, and other PII.
SUSE NeuVector provides pre-configured, customizable reports for PCI, GDPR, HIPAA, and
NIST compliance reports for container deployments.
• Network policy. Kubernetes network security policy provides automated L3/ L4 (IP ad-
dress/port based) segmentation. A network plug-in is required which supports enforce-
ment of network policy such as Calico.
• Service meshes/ISTIO. Istio is an example of a service mesh for managing service-to-
service communication, including routing, authentication, authorization, and encryption.
Istio provides a solid framework for managing service routing, but is not designed to be
a security tool to detect attacks, threats, and suspicious container events.
• Grafeas. Grafeas provides a tool to define a uniform way for auditing and governing the
modern software supply chain. Policies can be tracked and enforced with integration
to third-party tools. Grafeas can be useful in governing the CI/CD pipeline, but is not
targeted to managing run-time security policies.
• Clair. Clair is a simple tool for vulnerability scanning of images, but lacks registry inte-
gration and workflow support.
CI/CD pipeline
• Scan images in build phase and fail/reject those with critical vulnerabilities with fixes
available, or compliance violations.
• Continuously scan approved images in registries to alert if new vulnerabilities have
been discovered.
• Scan images for compliance violations of CIS Benchmarks as well as embedded
secrets, running as root, file permissions and other security issues.
• Implement declarative security as code practices to involve developers and/or De-
vOps teams to create or review allowed (whitelisted) application behavior for their
application workloads.
• Use namespaces
• Restrict Linux capabilities
• Enable SELinux
• Utilize Seccomp
• Configure Cgroups
• Use R/O mounts
Next Steps
Want to learn more?
Visit NeuVector.com for additional container security articles on our blog or to schedule a
demo of the SUSE NeuVector Kubernetes security platform.
www.suse.com
Innovate
Everywhere
© 2022 SUSE LLC. All Rights Reserved. SUSE and
the SUSE logo are registered trademarks of SUSE
LLC in the United States and other countries. All
third-party trademarks are the property of their
respective owners.