awesome-kubernetes/docs/kubernetes-security.md

Kubernetes Security

• Introduction
• Service Accounts
• Kubernetes Secrets
• Encrypting the certificate for Kubernetes. SSL certificates with Let's Encrypt in Kubernetes Ingress via cert-manager
• RBAC
• Admission Control
• Security Best Practices Across Build, Deploy, and Runtime Phases
• Kubernetes Authentication and Authorization
  • Kubernetes Authentication Methods
  • X.509 client certificates
  • Static HTTP Bearer Tokens
  • OpenID Connect
  • Implementing a custom Kubernetes authentication method
• Pod Security Policies (SCCs - Security Context Constraints in OpenShift)
• Security Profiles Operator
• EKS Security
• CVE
• Tweets

Introduction

• cilium.io
• Dzone - devops security at scale
• Dzone - Kubernetes Policy Management with Kyverno
  • github Kyverno - Kubernetes Native Policy Management
  • nirmata.com: Auto-labeling Kubernetes resources with Kyverno
• Dzone - OAuth 2.0
• Kubernetes Security Best Practices 🌟
• jeffgeerling.com: Everyone might be a cluster-admin in your Kubernetes cluster
• Microsoft.com: Attack matrix for Kubernetes 🌟
• codeburst.io: 7 Kubernetes Security Best Practices You Must Follow
• thenewstack.io: Laying the Groundwork for Kubernetes Security, Across Workloads, Pods and Users
• horovits.wordpress.com: Kubernetes Security Best Practices
• containerjournal.com: How to Secure Your Kubernetes Cluster 🌟
• medium: How to Harden Your Kubernetes Cluster for Production 🌟
• kubernetes.io: Cloud native security for your clusters
• tldrsec.com: Risk8s Business: Risk Analysis of Kubernetes Clusters 🌟 A zero-to-hero guide for assessing the security risk of your Kubernetes cluster and hardening it.
• microsoft.com: Threat matrix for Kubernetes 🌟
• labs.bishopfox.com: Bad Pods: Kubernetes Pod Privilege Escalation 🌟 What are the risks associated with overly permissive pod creation in Kubernetes? The answer varies based on which of the host’s namespaces and security contexts are allowed. In this post, I will describe eight insecure pod configurations and the corresponding methods to perform privilege escalation. This article and the accompanying repository were created to help penetration testers and administrators better understand common misconfiguration scenarios.
• sysdig.com: Kubernetes Security Guide 🌟 Best practices, guidance and steps for implementing Kubernetes security.
• resources.whitesourcesoftware.com: Kubernetes Security Best Practices 🌟
• sysdig.com: Getting started with Kubernetes audit logs and Falco 🌟
• thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security
• thenewstack.io: Best Practices for Securely Setting up a Kubernetes Cluster
• stackrox/Kubernetes_Security_Specialist_Study_Guide 🌟
• thenewstack.io: A Security Comparison of Docker, CRI-O and Containerd 🌟
• github.com/stackrox: Certified Kubernetes Security Specialist Study Guide 🌟
• youtube: Kubernetes Security: Attacking and Defending K8s Clusters - by Magno Logan
• cncf.io: Kubernetes Security 🌟
• microsoft.com: Secure containerized environments with updated threat matrix for Kubernetes
• kyverno.io 🌟 Kubernetes Native Policy Management. Open Policy Agent? That’s old school. Securely manage workloads on your kubernetesio clusters with this handy new tool, Kyverno.Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. youtube: The Way of the Future | Kubernetes Policy Management with Kyverno - youtube: Securing and Automating Kubernetes with Kyverno
  • ==kyverno.io/policies== 🌟 K8s policies available in the community repository
• cyberark.com: Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1
• redkubes.com: 10 Kubernetes Security Risks & Best Practices
• thenewstack.io: Defend the Core: Kubernetes Security at Every Layer
• techmanyu.com: Kubernetes Security with Kube-bench and Kube-hunter 🌟
  • kube-bench 🌟 Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
  • kube-hunter 🌟 Hunt for security weaknesses in Kubernetes clusters
  • k21academy.com: Secure and Harden Kubernetes, AKS and EKS Cluster with kube-bench, kube-hunter and CIS Benchmarks 🌟
• Analyze Kubernetes Audit logs using Falco 🌟 Detect intrusions that happened in your Kubernetes cluster through audit logs using Falco
• blog.kasten.io: Kubernetes Ransomware Protection with Kasten K10 v4.0
• helpnetsecurity.com: Kubestriker: A security auditing tool for Kubernetes clusters 🌟 Kubestriker is an open-source, platform-agnostic tool for identifying security misconfigurations in Kubernetes clusters.
• Kubernetes Goat 🌟 is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
• itnext.io: How-To: Kubernetes Cluster Network Security 🌟
• gist.github.com: How to protect your ~/.kube/ configuration
• levelup.gitconnected.com: Enforce Audit Policy in Kubernetes (k8s)
• snyk.io: 10 Kubernetes Security Context settings you should understand
• magalix.com: Top 8 Kubernetes Security Best Practices 🌟
• redhat.com: The State of Kubernetes Security
• igorzhivilo.com: Network policy and Calico CNI to Secure a Kubernetes cluster
• fairwinds.com: Discover the Top 5 Kubernetes Security Mistakes You're (Probably) Making
• tigera.io: Kubernetes security policy design: 10 critical best practices 🌟
• empresas.blogthinkbig.com: Descubierta una vulnerabilidad en Kubernetes que permite acceso a redes restringidas (CVE-2020-8562)
• thenewstack.io: Kubernetes: An Examination of Major Attacks 🌟 Constant vigilance is required to ensure that cloud infrastructure is locked down and that DevSecOps teams have the right tools for the job.
• nsa.gov: NSA, CISA release Kubernetes Hardening Guidance 🌟🌟
  • Kubernetes Hardening Guidance 🌟🌟
  • thenewstack.io: The NSA Can Help Secure Your Kubernetes Clusters
  • therecord.media: NSA, CISA publish Kubernetes hardening guide 🌟🌟
    • Scan containers and Pods for vulnerabilities or misconfigurations.
    • Run containers and Pods with the least privileges possible.
    • Use network separation to control the amount of damage a compromise can cause.
    • Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
    • Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
    • Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
    • Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.
  • cloud.redhat.com: OpenShift and the NSA-CISA ‘Kubernetes Hardening Guidance’ Red Hat OpenShift is the quickest path to meeting the NSA’s Kubernetes hardening guidance
  • ==Kubescape== 🌟 kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
    • infoq.com: Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan
  • infoq.com NSA and CISA Publish Kubernetes Hardening Guidance
  • csoonline.com: Kubernetes hardening: Drilling down on the NSA/CISA guidance The new guidance gives a solid foundation for hardening Kubernetes container environments. These are its key components and why they are important.
  • armosec.io: Kubescape - As “left” as it can get – find Kubernetes security issues while coding, not after
• cloud.redhat.com: Top Open Source Kubernetes Security Tools of 2021 🌟🌟
• ==cncf.io: How to secure your Kubernetes control plane and node components==
• redhat.com: State of Kubernetes Security Report - Spring 2021 (PDF) 🌟
• kubernetes.io: Overview of Cloud Native Security 🌟🌟 This overview defines a model for thinking about Kubernetes security in the context of Cloud Native security.
• elastisys.com: NSA and CISA Kubernetes Security Guidance: Summarized and Explained
• learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault 🌟
• talkingquickly.co.uk: Kubernetes Single Sign On - A detailed guide 🌟
• armosec.io: A Practical Guide to the Different Compliance Kubernetes Security Frameworks and How They Fit Together 🌟🌟
• thenewstack.io: How to Secure Kubernetes, the OS of the Cloud
• akhilsharma.work: The 4C's of Kubernetes Security
• Kubernetes security thing: Always be careful of what you are letting your users choose for usernames. If someone has a username of system:kube-controller-manager on an external Identity system, Kubernetes will quite happily give them the rights of the controller manager. The --oidc-username-prefix and --oidc-groups-prefix flags are userful for preventing this in OIDC integrations.
• medium: Securing the Kubernetes cluster | Lessandro Z. Ugulino
• ==infoworld.com: The race to secure Kubernetes at run time== A new wave of startups is looking to help developers secure their containerized applications after they go into production. Is this the future of application security?
• ==goteleport.com: Kubernetes API Access Security Hardening==
• infoworld.com: Securing the Kubernetes software supply chain with Microsoft's Ratify Microsoft’s Ratify proposal adds a verification workflow to Kubernetes container deployment. The Ratify team has some demo code in their GitHub repository that shows how to use Ratify with Gatekeeper in Kubernetes. Ratify installs using a Helm chart, bringing along some sample configuration templates.
• amazicworld.com: Top 5 security threats unique to a Kubernetes and Cloud Native stack
• ==peoplactive.com: Kubernetes and Container Security Checklist to Build Secure Apps==
• venturebeat.com: Kubernetes security will have a breakout year in 2022
• ==medium: Comparing Kubernetes Security Frameworks and Guidance== 🌟 Comparing popular Kubernetes security and compliance frameworks, how they differ, when to use, common goals, and suggested tools.
• aninditabasak.medium.com: A Lap around Kubernetes Security & Vulnerability scanning Tools — checkov, kube-hunter, kube-bench & Starboard
• ==blog.gitguardian.com: Hardening Your Kubernetes Cluster - Threat Model (Pt. 1)== 🌟 The NSA and CISA recently released a guide on Kubernetes hardening. We'll cover this guide in a three part series. First, let's explore the Threat Model and how it maps to K8s components.
  • ==blog.gitguardian.com: Hardening Your Kubernetes Cluster - Guidelines (Pt. 2)== 🌟 In this second episode, we will go through the NSA/CISA security recommendations and explain every piece of the guidelines.
• blog.devgenius.io: How is security managed in Kubernetes clusters? Best practices for managing security in Kubernetes at various layers
• blog.gitguardian.com: Kubernetes Hardening Tutorial Part 1: Pods Get a deeper understanding of Kubernetes Pods security with this first tutorial.
  • blog.gitguardian.com: Kubernetes Hardening Tutorial Part 2: Network How to achieve Control Plane security, true resource separation with network policies, and use Kubernetes Secrets more securely.
• infoworld.com: 10 steps to automating security in Kubernetes pipelines DevOps teams don’t need to sacrifice the speed of containerized development if they know what can be automated, why it’s important, and how to do it

[](https://www.blackhat.com/)

Service Accounts

• Service account is an important concept in terms of Kubernetes security. You can relate it to AWS instance roles and google cloud instance service account if you have a cloud background. By default, every pod gets assigned a default service account if you don't specify a custom service account. Service account allows pods to make calls to the API server to manage the cluster resources using ClusterRoles or resources scoped to a namespace using Roles. Also, you can use the Service account token from external applications to make API calls to the kubernetes API server.
  • devopscube.com: How To Create Kubernetes Service Account For API Access
  • devopscube.com: How to Create kubernetes Role for Service Account
  • github.com/scriptcamp/kubernetes-serviceaccount-example Example Kubernetes manifests to create service account mapped to Rolebinding.
• medium: Working with Service Account In Kubernetes 🌟 How to configure a service account in Kubernetes and manage it?
• github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts 🌟 Service accounts are well known in Kubernetes to access the Kubernets API from within the cluster. This is often used for infrastructure components like operators and controllers. But we can also use service accounts to implement authentication in our own applications. This README tries to give an overview on how service accounts work and and shows a couple of variants how you can use them for authentication. Further this repository contains an example Go service which shows how to implement the authentication in an application.
• sandeepbaldawa.medium.com: Service Accounts in K8s (Kubernetes)
• ==mjarosie.github.io: IAM roles for Kubernetes service accounts - deep dive==
• linkerd.io: Using Kubernetes's new Bound Service Account Tokens for secure workload identity

Kubernetes Secrets

• cncf.io: Revealing the secrets of Kubernetes secrets 🌟 In this article you will learn how to protect Secrets in your Kubernetes cluster
• Hands on your first Kubernetes secrets 🌟
• dev.to: Store your Kubernetes Secrets in Git thanks to Kubeseal. Hello SealedSecret! 🌟
• blog.doit-intl.com: Kubernetes and Secrets Management in the Cloud
• itnext.io: Effective Secrets with Vault and Kubernetes
• kubernetes.io: Encrypting Secret Data at Rest 🌟
• "Kubernetes base64 encodes secrets because that makes arbitrary data play nice with JSON. It had nothing to do with the security model (or lack thereof). It did not occur to us at the time that people could mistake base64 for some form of encryption"
  • "I've always wondered how folks expect a system would be able to protect data at rest like that. If the public key and private key are local on the machine - nothing is secure no matter what algorithm is used"
  • "The issue is not new or unique to k8s. There is a general confusion between encoding and encryption. Ask any web dev about base64, and there is a good chance they'll tell you it's encryption"
  • "The test is clearly wrong if that is the word used, literally everything is encoded somehow. If they meant encrypted instead, then it's half true, secrets are encrypted in transit but only at rest if a KMS plugin is used"
  • "The semantics are important. Easy to grant an RBAC policy like "read only except secrets"
  • "I just meant that base64 prevents you from logging a secret in plain text by accident… but many more layers are required to keep your secrets secret"
  • "You need to configure how the key is managed and ideally opt into something like KMS plugin (which depends on how the cluster is hosted) to make it good"
• redhat.com: Managing secrets for Kubernetes pods
• enterprisersproject.com: How to explain Kubernetes Secrets in plain English 🌟 What is a Kubernetes secret? How does this type of Kubernetes object increase security? How do you create a Kubernetes secret? What are some best practices? Experts break it down
• millionvisit.blogspot.com: Kubernetes for Developers #19: Manage app credentials using Kubernetes Secrets 🌟
• kubermatic.com: Keeping the State of Apps Part 2: Introduction to Secrets
• medium: Kubernetes Secrets Explained
• medium: Managing your sensitive information during GitOps process with Secret Sealed
• ==enlear.academy: Sealed Secrets with Kubernetes== Usage of the sealed secret to encrypt Kubernetes secrets.
• medium.com/codex: Sealed Secrets for Kubernetes How to encrypt Kubernetes Secret component and store it on the Git. And decrypt it using Kubernetes controller.

Encrypting the certificate for Kubernetes. SSL certificates with Let's Encrypt in Kubernetes Ingress via cert-manager

• Kubernetes Certs
• Using SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager 🌟
• medium: Encrypting the certificate for Kubernetes (Let’s Encrypt) 🌟
• rejupillai.com: Let’s Encrypt the Web (for free)
• betterprogramming.pub: Kubernetes and SSL Certificate Management 🌟 Manage SSL certificate orders in K8s with Helm and Let’s Encrypt.
• getbetterdevops.io: How to Secure K8S Nginx Ingress With Let’s Encrypt and Cert Manager Automate the provisioning of Let's Encrypt certificates for ingress resources
• faun.pub: Automate Certificate Management In Kubernetes Using Cert-Manager

RBAC

• Configure RBAC in Kubernetes Like a Boss 🌟 Learn how to configure RBAC in kubernetes. In this post, you will configure RBAC both with kubectl and yaml definitions.
• infracloud.io: How to setup Role based access (RBAC) to Kubernetes Cluster 🌟
• Kubernetes RBAC Permission Manager 🌟
• Krane 🌟 is a Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition.
• rbac.dev 🌟🌟🌟 advocacy site for Kubernetes RBAC. A site dedicated to good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.
  • For recipes, tips and tricks around RBAC see recipes.rbac.dev 🌟
• github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model This is a implementation of a RBAC model for a multi project multi tenant Kubernetes cluster.
• loft.sh: Kubernetes RBAC: Basics and Advanced Patterns
• ==marcusnoble.co.uk: Restricting cluster-admin Permissions==

Admission Control

• blog.styra.com: Why RBAC is not enough for kubernetes security 🌟🌟
• medium: Single Sign-On in Kubernetes 🌟
• trstringer.com: Create a Basic Kubernetes Validating Webhook

Security Best Practices Across Build, Deploy, and Runtime Phases

• Kubernetes Security 101: Risks and 29 Best Practices 🌟
• Build Phase:
  1. Use minimal base images
  2. Don’t add unnecessary components
  3. Use up-to-date images only
  4. Use an image scanner to identify known vulnerabilities
  5. Integrate security into your CI/CD pipeline
  6. Label non-fixable vulnerabilities
• Deploy Phase:
  1. Use namespaces to isolate sensitive workloads
  2. Use Kubernetes network policies to control traffic between pods and clusters
  3. Prevent overly permissive access to secrets
  4. Assess the privileges used by containers
  5. Assess image provenance, including registries
  6. Extend your image scanning to deploy phase
  7. Use labels and annotations appropriately
  8. Enable Kubernetes role-based access control (RBAC)
• Runtime Phase:
  1. Leverage contextual information in Kubernetes
  2. Extend vulnerability scanning to running deployments
  3. Use Kubernetes built-in controls when available to tighten security
  4. Monitor network traffic to limit unnecessary or insecure communication
  5. Leverage process whitelisting
  6. Compare and analyze different runtime activity in pods of the same deployments
  7. If breached, scale suspicious pods to zero
• thenewstack.io: 6 Kubernetes Security Best Practices 🌟
• kodekloud.com: Kubernetes Security Best Practices

[](https://www.stackrox.com/post/2020/05/kubernetes-security-101/)

Kubernetes Authentication and Authorization

• kubernetes.io: Authenticating
• kubernetes.io: Access Clusters Using the Kubernetes API
• kubernetes.io: Accesing Clusters
• magalix.com: kubernetes authentication 🌟
• magalix.com: kubernetes authorization 🌟
• kubernetes login
• learnk8s.io: Authentication between microservices using Kubernetes identities 🌟
• gravitational.com: How to Set Up Kubernetes SSO with SAML

Kubernetes Authentication Methods

Kubernetes supports several authentication methods out-of-the-box, such as X.509 client certificates, static HTTP bearer tokens, and OpenID Connect.

X.509 client certificates

• Kubernetes Authentication and Authorization with X509 client certificates

Static HTTP Bearer Tokens

• kubernetes.io: Access Clusters Using the Kubernetes API
• stackoverflow: Accessing the Kubernetes REST end points using bearer token

OpenID Connect

• OpenID Connect

Implementing a custom Kubernetes authentication method

• Implementing a custom Kubernetes authentication method

Pod Security Policies (SCCs - Security Context Constraints in OpenShift)

• Pod Security Policy (SCC in OpenShift) 🌟
• rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1
  • rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 2
• developer.squareup.com: Kubernetes Pod Security Policies (PSP) an example with exception management
• itnext.io: Implementing a Secure-First Pod Security Policy Architecture
• Neon Mirrors: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno

Security Profiles Operator

• The Security Profiles Operator (SPO) is an out-of-tree Kubernetes enhancement to make the management of seccomp, SELinux and AppArmor profiles easier and more convenient.
• kubernetes-sigs/security-profiles-operator
• kubernetes.io: What's new in Security Profiles Operator v0.4.0

EKS Security

• Security Group Rules EKS
• EC2 ENI and IP Limit
• Calico in EKS
• Amazon EKS Best Practices Guide for Security 🌟
  • EKS Best Practices Guide for Security 🌟
• medium.com: Securing Kubernetes Dashboard on EKS with Pomerium

CVE

• hackerone.com: Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces
• blog.lightspin.io: NGINX Custom Snippets CVE-2021-25742

Tweets

Click to expand!

Kubernetes base64 encodes secrets because that makes arbitrary data play nice with JSON. It had nothing to do with the security model (or lack thereof). It did not occur to us at the time that people could mistake base64 for some form of encryption.

— Daniel Smith (@originalavalamp) July 4, 2021

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

#OAuth has 4 Flows for retrieving an Access Token.

If you have worked with it, you know how difficult is it to remember what is what.

A Zine says a lot, seriously a lot. Check this out.
Idea credits @b0rk #IAM #security #infosec #webdev #web #webcomic #webcomics
RT if useful pic.twitter.com/fbrls0V08K

— Rohit (@sec_r0) January 8, 2021

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

Kubernetes security best practices in short -

A Thread 👇 pic.twitter.com/kehRjXuiEw

— Rakesh Jain (@devops_tech) October 9, 2021

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

Kubernetes security thing: Always be careful of what you are letting your users choose for usernames. If somone has a username of system:kube-controller-manager on an external Identity system, Kubernetes will quite happily give them the rights of the controller manager :)

— Rory McCune (@raesene) November 1, 2021

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>