Beginner guide to securing workloads on Kubernetes

I had a fair understanding Containerization and Orchestration concepts but I wanted to start from scratch again. So here is a beginner guide on how to secure your Workload on Cloud.

What is Kubernetes? Kubernetes is a open source platform for managing containerized workloads.

Some Jargon to be aware of:

Containers: Think of it as a box containing a bunch of functional code (of your business application) and all the dependencies it needs to run the code.

Workloads: Workload is your business application running on Kubernetes. A complex Workload will usually have multiple containers.

Pods: Pods are one of more containers running on a node in Kubernetes

Nodes: Kubernetes runs your workload by placing containers into Pods to run on Nodes

Control Plane: The plane usually accessed through APIs to manage everything that happens inside the Kubernetes cluster.

To sum is up: A Kubernetes cluster has multiple nodes. Each node will have multiple pods. Each pods will run multiple containers. Kubernetes will have a control plane that is used to manage all the nodes, pods and containers and their life cycle. 

We will now look at how we can secure a Kubernetes cluster running on Cloud. 

In order to comprehensively secure your workload running on Kubernetes, you will have to secure the following

• The Cloud where your Kubernetes cluster is hosted on
• The Cluster itself
• The Containers running inside the cluster and
• The application code 

Securing the Cloud: 

You can deploy Kubernetes directly on premise, on Cloud or leverage managed service provided by popular Cloud Service Providers (CSP) such as EKS, AKS or GKE. In a managed service set up, the Control plane is managed by the CSP who takes care of the security and availability of the Control plane. However in the other 2 deployment strategies, you will have to worry about the underlying infrastructure security starting from Network to the servers they are deployed on.

Following are some hardening suggestions to be implemented at an infrastructure level apart from the traditional hardening of the Network and Servers

• Restricting access to Control plane: Implement network controls to restrict access to Control plane APIs and not expose the Control plane to internet (Managed by CSP in a managed service model)
• Restricting access to Nodes: Configure NodePort to accept connections only from Control Plane and do not expose the Nodeports to the internet
• Kubernetes access to Cloud APIs: Implement appropriate IAM to ensure the Kubernetes clusters are having access to only the required cloud resources.
• Protect your etcd: Connections to etcd should be over TLS and etcd storage is encrypted [etcd is like a database of everything that is happening inside the cluster]

Securing the Cluster components: 

• Implemented RBAC using rbac.authorization.k8s.io 
• Ensure Security Port is used and TLS is enabled for all authentication by Service accounts and Human users
• Use --encryption-provider-config argument to encrypted etcd data which are stored as unencrypted by default 
• Use Baseline or Restrictive policy as defined by Pod Security Standards for your workloads
• Use NetworkPolicy to restrict communications at layer 3-4 levels

Container Image Security:

• Scan your container image for known vulnerabilities
• Sign container images 
• Restrict privileges of users within containers
• Use Container RuntimeClass to enable stronger isolation

Application Code Security

• SAST and DAST
• Build SBOM and upgrade vulnerable components
• Restrict communication ports at an application level 

I might have oversimplified a lot of concepts here. I strongly suggest going through a really well written support documentation available here: https://kubernetes.io/docs/concepts/