5 Typical Kubernetes Security Scenarios

Maintain least privilege: Incorrect or excessively permissive RBAC policies are a security threat in case of a compromised pod.

For Kubernetes workloads (pods, deployments, jobs, sets, etc.), they may be trusted at deployment time, but if they’re internet-facing there’s always a risk of later exploitation.

The Linux kernel has a number of overlapping security extensions (capabilities, SELinux, AppArmor, seccomp-bpf) that can be configured to provide least privilege to applications.

TODO: diagram

  • Linux Security Features and PodSecurityPolicies; Network security
  • RABC

Kubernetes Security


Kubernetes Security

1.1 Facts & State

  • Hard to keep aligned with current security best practice
  • Security pratice may break our applications or slow down our developers
  • Missing features of k8s security

1.2 Scenario: Secure Underline Platform

1.3 Scenario: Secure K8S Workload

1.4 Scenario: Security Practice In SDLC

Software developing life cycles

Scan the package

  • Airgap deployment: avoid docker pull.
  • Use fixed version for everything. OSS/TP

1.5 Scenario: Secure Disater From Admin Human Errors

1.6 Scenario: Secure Data Breach From Neighbors

1.7 Look Ahead

1.7.1 DONE You can’t get network policy security with default CNI

1.7.2 DONE Volume security: my PVC can be mounted only by me. Security within one namespace

1.7.3 DONE RABC can only filter individual resources, but not with name pattern

https://github.com/kubernetes/kubernetes/issues/56582

Subdividing namespaces is not trivial. The current advice is to use different namespaces. Are you primarily concerned with dividing access between users or service accounts?

1.7.4 DONE hostPath mount: filter by path pattern

1.8 What Security Enhancement PKS Has been Made?

More Reading: Kubernetes YAML Templates, 11 Ways (Not) to Get Hacked

<a href=”https://github.com/dennyzhang/www.dennyzhang.com/tree/master/kubernetes/kubernetes-security“><img align=”right” width=”200″ height=”183″ src=”github.png” /></a>

<div id=”the whole thing” style=”overflow: hidden;”>
<div style=”float: left; padding: 5px”> <a href=”https://www.linkedin.com/in/dennyzhang001“><img src=”linkedin.png” alt=”linkedin” /></a></div>
<div style=”float: left; padding: 5px”><a href=”https://github.com/dennyzhang“><img src=”github.png” alt=”github” /></a></div>
<div style=”float: left; padding: 5px”><a href=”https://www.dennyzhang.com/slack” target=”blank” rel=”nofollow”><img src=”badge.svg” alt=”slack”/></a></div>
</div>

<br/><br/>
<a href=”http://makeapullrequest.com” target=”blank” rel=”nofollow”><img src=”PRs-welcome-brightgreen.svg” alt=”PRs Welcome”/></a>

Blog URL: https://www.dennyzhang.com/kubernetes-security