Kubernetes is the undisputed industry standard for container orchestration, and its rise is closely tied to the wide adoption of cloud-native technologies. However, as security breaches continue to increase globally, it’s necessary to institute and adhere to security best practices across your Kubernetes clusters — whether they’re on-premises or in the public cloud.

In this article, we’ll provide an overview of key recommendations for Kubernetes security best practices. These practices are based on the 4 Cs, which are designed to help organizations achieve optimal security across the primary layers of typical Kubernetes environments. 

The 4 Cs of Kubernetes security

The Kubernetes platform played a part in bridging development and operations teams into the role now known as DevOps. Thus, when discussing Kubernetes security, it is essential to consider both the application and infrastructure aspects. The 4 Cs security framework thoroughly addresses security principles across all four layers through which Kubernetes operates.

Code: Application code must be written according to rigorous code security standards and should follow standard application security guidelines, such as the OWASP Top Ten.

Container: The smallest unit of work inside any Kubernetes cluster is a pod, which contains one or many containers running inside the same local network. Each container running inside any pod in production must use a trustworthy base image and runtime environment.

Cluster: This layer refers directly to how Kubernetes itself is configured. The access policies and security configurations of every Kubernetes cluster must be carefully designed.

Cloud: Like any other piece of software, Kubernetes ultimately runs on underlying hardware. The cloud infrastructure that hosts Kubernetes must be properly protected from attacks.

Code security

Code reviews

Application code security is often neglected as deadlines for releasing a feature approach. No matter how urgent a release seems, security should ideally be part of the acceptance criteria of any new feature. Code reviews ought to consider security aspects with a high degree of importance. Multiple developers should participate in the code review process to ensure that applications adhere to security standards as much as they do general coding standards.

Automated vulnerability scanning tools

Every software project depends on a number of third-party libraries. These dependencies save time and allow developers to focus on the business logic of the application instead of generic problems that have already been solved. However, as with any other piece of software, these libraries can contain security vulnerabilities. Therefore, continuously scanning third-party dependencies for vulnerabilities and patching them before your application is released to production should be integrated into the continuous integration/continuous delivery (CI/CD) pipeline as part of the build process.

Container security

Deploy trusted images

Container images that support your application are built on top of a base image, which often contains dependencies of its own. To ensure the highest levels of container security, it is recommended to use the leanest possible base image (with fewer dependencies when possible, since each dependency is a vector for potential security vulnerabilities). Nevertheless, it isn’t realistic to shy away from such dependencies, so the use of trusted images becomes essential.

Ideally, only images from verified sources should be used. These sources include Docker Official Images and the Docker Verified Publisher Program. 

Regularly scan images and monitor runtime behavior

As with application dependencies, scan your images before deploying them to a container registry. Kubernetes will pull these images and use them for deployment. But even after deployment, container runtimes should be continuously monitored to detect potential anomalies caused by malware or unauthorized access.

Cluster security

Implement RBAC

Cluster security can be split into several domains that must be carefully addressed. Access control should be granularly controlled with role-based access control (RBAC) so that only necessary privileges are granted to cluster operators. 

Isolate workloads by using namespaces

Workloads should be securely separated with Kubernetes namespaces to ensure proper network isolation and provide an additional layer of access control. 

Enforce network and pod security policies

Network traffic between pods and services — as well as ingress and egress traffic with sources outside the cluster — should only be permitted if necessary. Traffic should be encrypted using secure protocols, such as TLS. Service mesh tools, such as Istio, can be utilized to simplify this process. 

Protect the API server

All updates and new deployments in the cluster are executed by sending requests to the Kubernetes API, either manually by DevOps engineers or automatically via the CI/CD pipeline (with tools such as Helm). Therefore, access to the Kubernetes API should be tightly controlled and fully encrypted. 

Enable audit logging

In case any kind of unexpected behavior does occur in the cluster, audit logging should be enabled to help identify the root cause. Audit logs serve as a comprehensive source of records about actions and events. These logs can help answer important questions, such as what happened, when it happened, and who caused it.

Regularly update Kubernetes components

Finally, routinely update Kubernetes itself, including all of the software that runs in the cluster. This is a basic requirement for optimal security, as new vulnerabilities are discovered and patched versions of Kubernetes and its components are released regularly.

Cloud infrastructure security

Secure API server access

The API server must implement strict authentication. The control plane node that hosts it should not allow traffic from all sources. 

Harden nodes

The infrastructure that runs Kubernetes must adhere to its own set of security measures. Each instance in a cluster — called a node — should implement an instance-level firewall that would ideally be part of a subnet-level firewall as well. 

Encrypt Kubernetes secrets

Encrypt Kubernetes secrets at rest. When possible, use a separate, isolated secrets manager — such as HashiCorp Vault — to store the original secrets. Secrets managers provide features that Kubernetes does not, such as automatic secret rotation and dynamic secret generation. The Kubernetes ecosystem provides many custom resource definitions (CRDs) that facilitate seamless integration with these secrets managers. 

Perform regular audits

You should regularly audit your cloud infrastructure configuration, as it is dynamic by nature and may change significantly over time.

Additional practices

In addition to the essential 4 Cs, there are other security practices that should be considered. 

Use admission controllers

Using admission controllers to request validation to the API server provides an additional layer of security for all incoming requests.

Set resource limits

Each deployment should be configured with CPU and memory limits. This is not just for cost optimization but to mitigate denial-of-service risks, such as resource exhaustion attacks. Pod autoscalers should also be configured with this in mind. 

Enable comprehensive logging and monitoring

Configuring extensive observability in your Kubernetes clusters is generally considered a good practice. The Kubernetes ecosystem has several tools — such as Prometheus, Grafana, Jaeger, and Kiali — that together provide real-time monitoring and detailed metrics that can be helpful when investigating security issues. 

CrowdStrike: Your trusted partner for cloud-native security

With over a decade of continuous success, Kubernetes is used by millions of developers worldwide and is the leader among container orchestration solutions. Nonetheless, Kubernetes requires security at every layer to avoid vulnerabilities posing active risk in production. 

The four pillars of Kubernetes security (the 4 Cs) and other precautions can help your organization achieve optimal levels of security. However, following these best practices can be arduous without the assistance of tools like CrowdStrike Falcon® Cloud Security.

CrowdStrike is an industry-wide leader in cloud security, and Falcon Cloud Security is a powerful platform that can simplify your Kubernetes security complexity. To learn more about how CrowdStrike can help your company protect its Kubernetes environments, try out an interactive demo today.