Pusher takes this a stage further with some custom tooling, and there are some other helpers with slightly different use cases. Integrating Kubernetes with third party auth providers (like Google or Github) uses the remote platform's identity guarantees (backed up by things like 2FA) and prevents administrators having to reconfigure the Kubernetes API server to add or remove users.ĭex is an OpenID Connect Identity (OIDC) and OAuth 2.0 provider with pluggable connectors. These, like all other security-sensitive logs, should be transported outside the cluster to prevent tampering in the event of a breach.Ĭentralising authentication and authorisation (aka Single Sign On) across an organisation helps onboarding, offboarding, and consistent permissions for users. For all other requests, both request and response objects are saved in audit logs.ĭon't forget: keeping these logs inside the cluster is a security threat in case of compromise. For requests involving sensitive data such as Secret and ConfigMap, only the metadata is exported. GKE provides sane defaults.įor read requests such as get, list, and watch, only the request object is saved in the audit logs the response object is not. They can be tuned to your organisation's security policy. Incorrect or excessively permissive RBAC policies are a security threat in case of a compromised pod - maintaining least privilege and continuously reviewing and improving RBAC rules should be considered part of the technical debt hygiene that any good team has built into their development lifecycle.Īudit Logging (beta in 1.9) provides customisable API logging at payload (request and response), and metadata levels. And it doesn't have to stop there - fine-grained RBAC policies can be extracted from audit logs with audit2rbac. There a plenty of good examples of RBAC policies for cluster services, as well as the docs. Use this flag to disable it: -no-enable-legacy-authorization In Kubernetes, ABAC (Attribute Based Access Control) has been superseded by RBAC since 1.6, and should not be enabled on the API server. Role-based access control provides fine-grained policy management for user access to resources, such as access to namespaces. Enable RBAC with Least Privilege, Disable ABAC, and Monitor Logs Kubelet TLS bootstrapping provides the ability for a new kubelet to create a certificate signing request so that certificates are generated at boot time.Ģ.
#CONTROLPLANE QUIT APPLICATION MANUAL#
Kelsey Hightower's canonical Kubernetes The Hard Way provides detailed manual instructions, as does etcd's security model documentation.Īutoscaling Kubernetes nodes was historically difficult, as each node requires a TLS key to connect to the master, and baking secrets into base images is not good practice. This network diagram by Lucas Käldström demonstrates some of the places TLS should ideally be applied: between every component on the master, and between the Kubelet and API server. Note that some components and installation methods may enable local ports over HTTP and administrators should familiarize themselves with the settings of each component to identify potentially unsecured traffic.
TLS should be enabled for every component that supports it to prevent traffic sniffing, verify the identity of the server, and (for mutual TLS) verify the identity of the client.
This valuable cargo needs protecting from accidental leakage and malicious intent: when it's accessed, when it's at rest, and when it's being transported across the network. It has an overall view of every container and pod running on the cluster, can schedule new pods (which can include containers with root access to their parent node), and can read all the secrets stored in the cluster. Use Linux Security Features and PodSecurityPolicies Starting with the control plane, building up through workload and network security, and finishing with a projection into the future of security, here is a list of handy tips to help harden your clusters and increase their resilience if compromised. Kubernetes security has come a long way since the project's inception, but still contains some gotchas. This article was originally published on the Kubernetes
0 kommentar(er)
