Skip to content

Kubernetes Security

  1. Introduction
  2. Securing a Kubernetes cluster using TLS certificates
  3. Kubernetes Security Scanners
  4. Security Checklist Kubernetes OWASP
  5. Exposed Kubernetes Clusters
  6. NSA National Security Agent Kubernetes Hardening Guidance
  7. CIS Benchmarks and CIS Operator
  8. User and Workload identities in Kubernetes
  9. Service Accounts
  10. Kubernetes Secrets
  11. Kubernetes Cert-Manager. Encrypting the certificate for Kubernetes. SSL certificates with Let’s Encrypt in Kubernetes Ingress via cert-manager
  12. Kubernetes OpenID Connect OIDC
    1. OAuth2 Proxy
    2. Alternatives
  13. RBAC and Access Control
    1. Tools
  14. Kubernetes and LDAP
  15. Admission Control
  16. Kubernetes Security Best Practices
  17. Kubernetes Authentication and Authorization
    1. Kubernetes Authentication Methods
    2. X.509 client certificates
    3. Static HTTP Bearer Tokens
    4. OpenID Connect
    5. Implementing a custom Kubernetes authentication method
  18. Pod Security Policies (SCCs - Security Context Constraints in OpenShift)
  19. Security Profiles Operator
  20. EKS Security
  21. External Secrets Operator
  22. CVE
    1. Official Kubernetes CVE Feed
  23. Videos
  24. Tweets

Introduction

kubernetes security mindmap

Securing a Kubernetes cluster using TLS certificates

Kubernetes Security Scanners

Security Checklist Kubernetes OWASP

Exposed Kubernetes Clusters

  • blog.cyble.com: Exposed Kubernetes Clusters Organizations At Risk Of Data Breaches Via Misconfigured Kubernetes. Over 900k Kubernetes exposures were observed across the internet during a routine threat-hunting exercise. While this does not imply that all exposed instances are vulnerable to attacks, it still makes them a target.

NSA National Security Agent Kubernetes Hardening Guidance

CIS Benchmarks and CIS Operator

  • ibm.com: CIS Benchmarks Developed by a global community of cybersecurity professionals, CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.
  • aymen-abdelwahed.medium.com: K8s Operators β€” CIS Kubernetes Benchmarks How can I run my workloads securely on top of Kubernetes? In this post, we’ll be taking a look at the CIS-Benchmark, breaking the concept down to simple terms, and in the end, deploying the CIS-Operator using Helm charts and custom values
    • rancher/cis-operator This is an operator that can run on a given Kubernetes cluster and provide ability to run security scans as per the CIS benchmarks, on the cluster.

User and Workload identities in Kubernetes

Service Accounts

Kubernetes Secrets

Kubernetes Cert-Manager. Encrypting the certificate for Kubernetes. SSL certificates with Let’s Encrypt in Kubernetes Ingress via cert-manager

Kubernetes OpenID Connect OIDC

OAuth2 Proxy

OAuth2 Proxy is an open-source reverse proxy that provides authentication and authorization for web applications. It is designed to sit in front of your web application and authenticate users using OAuth2 providers such as Google, Microsoft, and Facebook. Once a user has been authenticated, OAuth2 Proxy adds an authorization header to each request, allowing the web application to verify that the request came from an authenticated user.

OAuth2 Proxy is commonly used in Kubernetes environments to secure access to web applications deployed on a Kubernetes cluster. It integrates with Kubernetes API Server to provide automatic configuration and discovery of the OAuth2 provider’s credentials. It also supports a variety of authentication mechanisms, including Google OAuth2, Microsoft Azure AD, GitHub OAuth2, and others.

Some of the key features of OAuth2 Proxy include:

Support for multiple OAuth2 providers Automatic configuration and discovery of OAuth2 provider credentials Support for a variety of authentication mechanisms, including JWT tokens, cookies, and HTTP basic authentication Fine-grained access control through the use of role-based access control (RBAC) Support for custom headers and footers to customize the user interface Overall, OAuth2 Proxy is a powerful tool for securing web applications using OAuth2 providers. It simplifies the authentication and authorization process and makes it easy to manage access to your applications in a Kubernetes environment.

Alternatives

There are several alternatives to OAuth2 Proxy in Kubernetes, depending on your specific use case and requirements. Some popular options include:

Istio: Istio is a popular open-source service mesh that provides a variety of features, including secure authentication and authorization through its Istio Authentication feature. Istio allows you to define authentication policies for your services using a variety of authentication mechanisms, such as JWT, OAuth, and mTLS.

Keycloak: Keycloak is an open-source identity and access management solution that provides a variety of features, including authentication, authorization, and user management. Keycloak can be deployed on Kubernetes using its Helm chart and can be used to secure your Kubernetes applications using a variety of authentication mechanisms, such as OAuth2, OpenID Connect, and SAML.

Dex: Dex is an open-source identity provider that can be used to provide authentication and authorization for Kubernetes applications. Dex can be deployed on Kubernetes using its Helm chart and can be used to authenticate users using a variety of authentication mechanisms, such as LDAP, OAuth2, and OpenID Connect.

Traefik: Traefik is a popular open-source reverse proxy and load balancer that provides a variety of features, including secure authentication and authorization. Traefik can be used to secure your Kubernetes applications using a variety of authentication mechanisms, such as OAuth2, JWT, and basic authentication.

Ambassador: Ambassador is a popular open-source API Gateway that provides a variety of features, including secure authentication and authorization. Ambassador can be used to secure your Kubernetes applications using a variety of authentication mechanisms, such as OAuth2, JWT, and basic authentication.

Each of these alternatives provides different features and may be more suitable for different use cases. It’s important to evaluate each option based on your specific needs and requirements.

RBAC and Access Control

Tools

  • paralus.io 🌟 Zero trust Kubernetes with zero friction. - github.com/paralus/paralus Paralus is a free, open source tool that enables controlled, audited access to Kubernetes infrastructure. It comes with just-in-time service account creation and user-level credential management that integrates with your RBAC and SSO providers or Identity Providers (IdP) that support OIDC. Ships as a GUI, API, and CLI.
  • github.com/ondat/trousseau Trousseau uses the Kubernetes KMS provider framework to provide an envelope encryption scheme to encrypt secrets on the fly before they reach etcd. The project is modular and you can plug your own KMS tool (e.g. Vault).

Kubernetes and LDAP

Admission Control

Kubernetes Security Best Practices

kubernetes security controls landscape

Kubernetes Authentication and Authorization

Kubernetes Authentication Methods

Kubernetes supports several authentication methods out-of-the-box, such as X.509 client certificates, static HTTP bearer tokens, and OpenID Connect.

X.509 client certificates

Static HTTP Bearer Tokens

OpenID Connect

Implementing a custom Kubernetes authentication method

Pod Security Policies (SCCs - Security Context Constraints in OpenShift)

Security Profiles Operator

EKS Security

External Secrets Operator

  • external-secrets.io 🌟 External Secrets Operator is a Kubernetes operator that integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager, and many more. The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret.

CVE

Official Kubernetes CVE Feed

Videos

Click to expand!

Tweets

Click to expand!