Enhancing Kubernetes Security in Your Software Supply Chains With TLS certificates
If you are a software developer or a DevOps engineer, you know how important Kubernetes is to deploy scalable container-based applications to meet your critical business needs. Not only that, but the Cloud Native Computing Foundation’s 2023 Annual Survey found significant growth of Kubernetes — from 76% to 89% — in just one year from 2022–23. Kubernetes adoption has seen a significant rise in the last few years due to its ease of use. In addition, it has capabilities of managing large-scale container services in microservices architecture. Thus, Kubernetes has become a de facto operating system for container-based production workloads.
With its simplicity, it is no wonder that Kubernetes is loved and used by millions of developers worldwide.
As per CNCF’s survey, 71% of the respondents mentioned in the survey that they are using Kubernetes in production and 18% are evaluating it to use it for managing application loads.
However, with this growing adoption comes increased security concerns, particularly within software supply chains. When you consider the damage caused by events such as last year’s incident at MGM, the massive SolarWinds and the lesser-known CodeCov attacks in 2020, it is clear that ensuring secure communication and integrity across these chains is paramount. One of the most effective ways to achieve this is through the implementation of transport layer security (TLS) certificates.
Security of Kubernetes Raises Concerns
There is even further evidence related to concerns about the security of Kubernetes. For example, Red Hat’s 2024 edition of the State of Kubernetes Security Report also noted, “Based on a survey of 600 DevOps, engineering and security professionals from around the globe…67% of respondents have delayed or slowed deployment due to Kubernetes security concerns,” adding that “46% of respondents identified revenue or customer loss as a result of a container and Kubernetes security incident.”
The Importance of TLS in Kubernetes
TLS certificates play a crucial role in securing communications in Kubernetes clusters and in the whole software supply chain. They provide encryption, ensuring data in transit is protected from eavesdropping and tampering. Additionally, TLS certificates authenticate the identity of communicating parties, ensuring that interactions are with legitimate services and not malicious actors. In the context of a software supply chain, this means ensuring that each component — from development to deployment — is verified and secure.
Securing the Kubernetes Control Plane
The Kubernetes control plane, comprising the API server, etcd, scheduler and controller manager, is the heart of a Kubernetes cluster. Securing the control plane is critical as it manages the state of the cluster.
API Server: The API server is the entry point for all administrative tasks. TLS is essential here to encrypt API requests and responses. Ensure the API server is configured to only accept requests over HTTPS, and use strong, up-to-date TLS configurations. Regularly rotate the TLS certificates to minimize the risk of compromise.
etcd: This key-value store holds the cluster state and must be secured to prevent unauthorized access. Use client-to-server and peer-to-peer TLS to encrypt communication between etcd members and clients. This ensures data integrity and confidentiality within the etcd cluster.
Kubelets: Each node runs a kubelet, responsible for node-level operations. Securing kubelet communication with the API server using TLS certificates ensures that only legitimate nodes participate in the cluster.
Ingresses: Ingress controllers play a crucial role in routing external traffic to services within the cluster. Securing these ingress controllers with TLS certificates is essential for protecting the confidentiality and integrity of data transmitted over the network.
When using the cert-manager tool to issue certificates for securing Kubernetes from various public or private issuers, look for a certificate authority that provides its public and private issuers with the ability to issue TLS certificates for various needs for securing your Kubernetes clusters in production and development environments.
Implementing TLS in the Software Supply Chain
A software supply chain typically involves several stages, from code development to container image creation, storage and deployment. Each stage must be secured to ensure the integrity and authenticity of the software.
Source Code Repositories: Use TLS to secure connections to source code repositories (e.g., GitHub, GitLab). This protects code in transit from being intercepted or altered. Additionally, employ mutual TLS (mTLS) to ensure that both the client and server authenticate each other, adding an extra layer of security.
CI/CD Pipelines: Continuous integration/continuous deployment (CI/CD) pipelines automate the building, testing and deployment of applications. Secure CI/CD tools and communication channels with TLS to prevent the injection of malicious code. Additionally, consider using signed commits and verifying signatures to ensure code integrity.
Container Registries: Registries store container images, which need to be securely transmitted to avoid tampering. Implement TLS for all connections to and from container registries. Furthermore, use image signing and verification tools (e.g., docker content trust, notary) to ensure that only trusted images are deployed.
Kubernetes Admission Controllers: Admission controllers can enforce security policies within the cluster. Implementing TLS for communication between admission controllers and the API server ensures that policies are applied securely.
Utilizing TLS certificates properly in your software supply chains can help decrease the chances of a cybersecurity incident, such as a supply chain attack or a man-in-the-middle attack. There are several vendors in the marketplace that companies can turn to for help in navigating and solving this issue. No matter which solution you choose, your company will be better off in the end because your supply chain will be much more secure, giving you a chance to breathe easier.