Secure access to Kubernetes

Avoiding Pitfalls

Access Control

The last aspect is to control the content of a query. Kubernetes provides a long list of admission controllers that monitor and control very different things. Without changing the configuration, the controllers listed in the "Admission Controller" box are enabled.

Admission Controllers

NamespaceLifecycle

LimitRanger

ServiceAccount

TaintNodesByCondition

Priority

DefaultTolerationSeconds

DefaultStorageClass

StorageObjectInUseProtection

PersistentVolumeClaimResize

MutatingAdmissionWebhook

ValidatingAdmissionWebhook

RuntimeClass

ResourceQuota

The Kubernetes documentation contains a description stating which controller implements which logic and what the configuration looks like [4]. Some of the plugins require their own configuration files or a YAML block in the cluster configuration.

One interesting example is LimitRanger, which limits resources (e.g., CPU, memory usage) for a namespace. This plugin modifies running requests with default values. This happens, for example, if a pod definition does not specify how much CPU or memory it can request. In this way, the cluster admin can manage the extent to which resources are used by a customer or a namespace.

Optionally, an admission controller named PodSecurityPolicy can be added [5] that increases security by insisting that pods generated by the system by replica sets and deployments comply with certain security policies. Among other things, it can restrict Linux capabilities, define SE Linux contexts and AppArmor profiles for containers, or regulate the handling of privileges (Figure 4).

Figure 4: The online documentation for the admission controller PodSecurityPolicy comprehensively explains the attributes linked to it.

Conclusions

Because Kubernetes makes all operations available through an API, it offers admins maximum flexibility. This pattern also continues in the security infrastructure. Rolling out even more complex environments with dedicated security configurations is a simple and unambiguous process controlled by YAML files, which, however, does not release the developer from having to think about how to use these possibilities sensibly. On the upside, it opens up an opportunity to set effective standards in a centralized location.

The access controls shown in the article only illustrate the first step toward establishing security. Cluster admins also need to pay attention to the integrity and security of the images used. Images can contain security holes and are a potential gateway for rootkits. Also, the possibilities for container users to escalate their privileges are a permanent security issue.

What happens in practice if the deployment of a rolled out project fails because of security settings? This situation is not much different from what has happened with other IT security components (e.g., firewalls) in the last 20 years. IT security managers must therefore familiarize themselves with what can be the complex security contexts of Kubernetes systems. The design allows for secure operations but does not relieve admins from the burden of thinking.

The Author

Konstantin Agouros is Head of Open Source Projects at matrix technology AG, where he and his team advise customers on open source and cloud topics. His latest book Software Defined Networking: SDN-Praxis mit Controllern und OpenFlow [Practical Applications with Controllers and OpenFlow ] (in German) is published by de Gruyter.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Monitoring container clusters with Prometheus
    In native cloud environments, classic monitoring tools reach their limits when monitoring transient objects such as containers. Prometheus closes this gap, which Kubernetes complements, thanks to its conceptual similarity, simple structure, and far-reaching automation.
  • Kubernetes Auto Analyzer
    The fast pace of Kubernetes development can patch and introduce security vulnerabilities between versions. The Kubernetes Auto Analyzer configuration analyzer tool automates the review of Kubernetes installations against CIS Benchmarks.
  • Kubernetes k3s lightweight distro
    The k3s lightweight and secure Kubernetes distribution can handle both unattended workloads in remote locations with minimal resources and clusters of IoT appliances.
  • Kibana Meets Kubernetes
    Set up an Elastic Stack quickly and easily with Helm to visualize Kubernetes data.
  • Safeguard and scale containers
    Security, deployment, and updates for thousands of nodes prove challenging in practice, but with CoreOS and Kubernetes, you can orchestrate container-based web applications in large landscapes.
comments powered by Disqus