Kubernetes (K8s) has become the go-to cloud operating system, enabling development without the overhead of adding servers and infrastructure. Using K8s warrants a review of how you are securing it.
To ensure your K8s deployment is as secure as possible:
- Scan your images, both at creation and continuously. Often, new images are released with patched vulnerabilities, but a vulnerability could slip through the cracks if you do not know about them. Harbor is an image repository with built-in integration with Trivy, allowing images to be scanned when they’re added.
- Use a K8s admission controller. Consider the controller as the security guard at the office door. A threat actor that can access your API can do almost anything they want. You can integrate this controller with a scanning engine to ensure all actions meet your risk appetite. Falco is an example of an open-source tool for K8s threat detection.
- Control plane security. Since the control plane can schedule new images and access all secrets in the cluster, you should isolate the network and audit all kubectl commands. Use K8-security-configwatch to review any changes in config files.
- Whenever we have any detection, we need a response. You are automating workloads. You should automate response. Sysdig is an open-source tool to assist with response in containers.
- Network segmentation. Using K8s network policies allows you to specify what can communicate with others. These policies can be implemented with the use of tools like Istio. Istio works as a sidecar that enforces network policy while also providing metrics. Cilium is another popular choice now, using eBPF for the filtering instead of having a sidecar.
While the use cases for K8s offer tremendous benefits, it is always critical to think about security as part of the architecture plan rather than putting it in place after the fact.
