| description |
|---|
Can you dig it? |
What is Kubernetes Security?
Kubernetes Security is defined as the actions, processes and principles that should be followed to ensure security in your Kubernetes deployments. This includes – but is not limited to – securing containers, configuring workloads correctly, Kubernetes network security, and securing your infrastructure. [1]
Why is Kubernetes security important?
Kubernetes security is important due to the variety of threats facing clusters and pods, including:
- Malicious actors
- Malware running inside containers
- Broken container images
- Compromised or rogue users
Without proper controls, a malicious actor who breaches an application could attempt to take control of the host or the entire cluster. [1]
Extracted from [1].
Check out also about:
- Key Kubernetes security issues
- Kubernetes security challenges and solutions
- Securing Kubernetes hosts
- Kubernetes Security Observability
Development/Design phase:
- Some Kubernetes environments may be more secure than others. Using a multi-cluster architecture or multiple namespaces with proper RBAC controls can help isolate workloads.
Build phase:
- Choose a minimal image from a vetted repository.
- Use container scanning tools to uncover any vulnerabilities or misconfigurations in containers.
Deployment Phase:
- Images should be scanned and validated prior to deployment.
- An admission controller can be used to automate this validation so only vetted container images are deployed.
Runtime Phase:
- The Kubernetes API generates audit logs that should be monitored using a runtime security tool, such as Sysdig.
- Images and policy files should also be continuously scanned to prevent malware or misconfigurations in a runtime environment.
- aad-pod-identity: Assign Azure AD idenitites to pods in Kubernetes, in order to access Azure resources.
- audit2rbac: Autogenerate RBAC policies based on Kubernetes audit logs.
- Deepfence ThreatMapper: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
- cnspec: Scan Kubernetes clusters, containers, and manifest files for vulnerabilities and misconfigurations.
- falco: Container Native Runtime Security.
- kdigger: Kubernetes focused container assessment and context discovery tool for penetration testing.
- kiam: Integrate AWS IAM with Kubernetes.
- kube-bench: Check whether Kubernetes is deployed according to security best practices.
- kube-hunter: Hunt for security weaknesses in Kubernetes clusters.
- kube-psp-advisor: Help building an adaptive and fine-grained pod security policy.
- kube-scan: k8s cluster risk assessment tool.
- Kubei: Vulnerabilities scanner for Kubernetes clusters.
- kube2iam: Provide different AWS IAM roles for pods running on Kubernetes.
- kubeaudit: Audit your Kubernetes clusters against common security controls.
- kubectl-bindrole: Find Kubernetes roles bound to a specified ServiceAccount, Group or User.
- kubectl-dig: Deep Kubernetes visibility from the kubectl.
- kubectl-kubesec: Scan Kubernetes pods, deployments, daemonsets and statefulsets with kubesec.io.
- kubectl-who-can: Show who has permissions to <verb> <resource> in Kubernetes.
- OWASP Top Ten for Kubernetes: The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity.
- terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
- kyverno: Kubernetes Native Policy Management.
- rakkess: Review access matrix for Kubernetes server resources.
- rback: RBAC in Kubernetes visualizer.
- steampipe: Use SQL to query your cloud services (AWS, Azure, GCP and more) running Kubernetes.
- steampipe-kubernetes: Use SQL to query your Kubernetes resources.
- steampipe-kubernetes-compliance: Kubernetes compliance scanning tool for CIS, NSA & CISA Cybersecurity technical report for Kubernetes hardening.
- trivy: A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI.
- trivy-operator: Kubernetes-native security (Vulnerabilities,IaC MisConfig,Exposed Secrets,RBAC Assessment,Compliance and more) toolkit for kubernetes.
- kubernetes-rbac-audit: Tool for auditing RBACs in Kubernetes.
- kubernetes-external-secrets: Tool to get External Secrets from Hashicorp Vault and AWS SSM.
- vault-secrets-operator: An operator to create Kubernetes secrets from Vault for a secure GitOps based workflow.
- Kubernetes Security and Disclosure Information
- Kubernetes Security
- GKE Security Bulletins
- CKS Certified Kubernetes Security Specialist resources repo
- Kubernetes Security Checklist and Requirements
- OWASP Kubernetes Security Cheatsheet
- Securing Kubernetes Clusters
- Kubernetes Security : 6 Best Practices for 4C Security Model
[1]: Kubernetes Security: Common Issues and Best Practices | Snyk