Hot Topics
Cloud-Native Security KubeCon + CNC EU 2021 RSA Topics 

15 Point Kubernetes Security Checklist

, ,
by Fei Huang

Thoroughly securing containers and Kubernetes environments – especially in production where they’re most vulnerable – requires a layered security strategy with consistent vigilance across multiple fronts. Kubernetes itself has become an increasingly (and concerningly) frequent attack surface, with attackers exploiting critical vulnerabilities to interfere with or infiltrate containers at every stage of the pipeline. Enterprises must be better about anticipating attacks, avoid deprioritizing security and implement protections across their entire infrastructure, from containers and Kubernetes to the OS, systems and networks that enable their deployments.

This Kubernetes security checklist offers a systematic approach to achieving defense-in-depth and addressing the range of threats your deployments may face.

Enable a Production-Ready Security Strategy

    1. Did you harden your operating system? As a fundamental means of limiting the attack surface of container and Kubernetes deployments, carefully remove all unneeded files and modules. Also, make sure the latest security updates and patches are continually implemented.
    2. Did you introduce Kubernetes security best practices? Leverage available tools to implement security measures aligned to industry best practice guidelines. For example, a CIS Benchmark for Kubernetes can enable enterprises to quickly assess current practices and shine light on exactly where improvement is needed.
    3. Did you place access controls around different user types? Tightening access controls and employing the principle of least-privilege effectively hardens your systems, preventing attackers from running wild if they are able to breach a particular user profile. Try to find tools that make it simple to manage role-based access controls, and be sure to customize all permissions to limit access as much as possible. Doing so will go a long way toward preventing any unauthorized updates to images and systems.
    4. Did you perform vulnerability scanning of containers in the pipeline and for all registries? Automated visibility, monitoring, and scanning across the container application life cycle is essential to security. It all begins with the image build phase, then moves to registry scanning. Use tools that also enable scanning of Kubernetes secrets and private registries.
    5. Have you run integrity checks and digital signing of container images? These security measures enable unauthorized images to be detected and can prevent their deployment in the first place. Compliance checks on images should include CIS benchmarks, secrets inspection and other potential image violations.

Implement Basic Runtime Security Measures

  1. Have you deployed traditional firewall and perimeter security? Even advanced container and Kubernetes environments must defend against traditional external attacks. Use your existing firewalls, IDS/IPS and WAFs if available for your cloud deployments. But if not available or too costly, implement cloud-native runtime security protections to provide these protections.
  2. Did you harden your containers by limiting their lifespans? Most containers require only brief runtimes to accomplish what you need from them. Keep these windows – during which they exist as targets for attack – as tight as possible by frequently removing unused containers. Design containers to function as resources and processes existing for short periods, which spin up on demand and get out of harm’s way once their job is done.
  3. Are you reducing risk by loading application containers in read-only/non-persistent mode? By disallowing write access to container images, you also disallow related avenues for attackers. Even in this mode, you can allow the writing of required temporary application data at run-time.

Implement advanced run-time security

  1. Did you isolate or segment running containers into minimum working zones by service or application? By implementing policies that segment containers by service or application, you can further reduce attack surfaces and better defend end-to-end services from threats. You’ll want to have the flexibility required for containers to scale up and down without requiring manual changes to security policies or firewall rules.
  2. Can you monitor for attacks in real-time? All containers that expose an application interface or common port require monitoring that can recognize attacks as they happen. This includes threats at the application layer, such as DDoS and SQL injection attacks.
  3. Can you recognize abnormal container behavior? Your container security strategy should be able to whitelist process and file activity and map communication among containers, then monitor container and application behavior for suspicious activity and policy violations. Detecting, preventing and reporting these potential threats is essential to thwarting attacks.
  4. Are you automatically blocking unauthorized container access based on abnormal behavior? Much as traditional firewalls block unauthorized network layer access, runtime security in container and Kubernetes environments must be ready to immediately and automatically block access whenever threats are apparent, including from outside the cluster.
  5. Do you run live scans of all running containers? Scan containers for vulnerabilities to actively secure the container image as new containers spin up. It’s crucial to repeat this security measure even for images scanned in the registry, in order to detect new vulnerabilities and active threats.
  6. Can you automate security policies? Container and Kubernetes environments are far too dynamic for anything but an automated security approach to succeed. As containers scale across hosts and data centers and applications continuously update, security policies must automatically protect new containers and hosts.
  7. Do you analyze security events? Offline collection and analysis of security events and container forensic data, using a SIEM-like system, will help to flag repeated and coordinated attack patterns. Considering the ephemeral nature of many containers, storing security event data enables informed strategies that are difficult to pursue otherwise. This should include packet captures for suspicious network connections.

A Kubernetes deployment strategy that checks off every point on this list will have the visibility and automated security measures to effectively recognize and mitigate threats, and is likely to either defeat attacks or prevent them altogether.

KubeCon + CloudNativeCon Europe

Fei Huang

Fei Huang is the Chief Strategy Officer at NeuVector, a cloud-native Kubernetes security platform provider. Fei has 20+ years of experience in enterprise security, virtualization, cloud and embedded software. He was part of the founding team of CloudVolumes (acquired by VMware) and cofounder of Provilla, a DLP security company acquired by TrendMicro. Fei also holds several patents in security, virtualization and software architecture.

Fei Huang has 5 posts and counting. See all posts by Fei Huang