Kubernetes Security

[anitsh]

The 4C's of Cloud Native Security

How certificates are used by your cluster

Kubernetes requires PKI for the following operations: Client certificates for the kubelet to authenticate to the API server Server certificate for the API server endpoint Client certificates for administrators of the cluster to authenticate to the API server Client certificates for the API server to talk to the kubelets Client certificate for the API server to talk to etcd Client certificate/kubeconfig for the controller manager to talk to the API server Client certificate/kubeconfig for the scheduler to talk to the API server. Client and server certificates for the front-proxy

Resource

• [ ] https://kubernetes.io/docs/setup/best-practices
• [ ] https://kubernetes.io/docs/concepts/security
• [ ] https://kubernetes.io/docs/tasks/configure-pod-container/security-context
• [ ] https://kubernetes.io/docs/reference/access-authn-authz/authorization
• [ ] https://kubernetes.io/docs/reference/access-authn-authz/rbac
• [ ] https://kubernetes.io/docs/setup/best-practices/certificates
• [ ] https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core
• [ ] https://kubernetes.io/docs/concepts/policy/resource-quotas
• [ ] https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization
• [ ] https://kubernetes.io/docs/concepts/security/pod-security-standards
• [ ] https://kubernetes.io/docs/concepts/services-networking/network-policies
• [ ] https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster
• [ ] https://kubernetes.io/docs/reference/access-authn-authz/controlling-access
• [ ] https://securityboulevard.com/2020/05/security-in-kubernetes-environment
• [ ] https://techbeacon.com/enterprise-it/hackers-guide-kubernetes-security
• [ ] https://www.stackrox.com/post/2020/05/kubernetes-security-101
• [ ] https://logz.io/blog/kubernetes-security
• [ ] https://www.cncf.io/blog/2020/09/09/how-to-enforce-kubernetes-network-security-policies-using-opa
• [ ] https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes
• [ ] https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-security
• [ ] https://sysdig.com/blog/kubernetes-security-psp-network-policy
• [ ] https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster
• [ ] https://www.youtube.com/watch?v=ZyOCLALjV98
• [ ] https://github.com/KubernetesCheatsheet/awesome-k8s-security
• [ ] https://dig.sysdig.com/c/sysdig-kubernetesse
• [ ] https://www.cncf.io/blog/2019/08/06/open-sourcing-the-kubernetes-security-audit

[anitsh]

Admissions Controllers

Note from one of the event about Admissions controller:

Admissions controllers play an important role in providing security and governance for Kubernetes. In this webinar, we will outline the Kubernetes Admission Controller architecture, and look in particular at the Validating Admission Controller function, along with the associated Open Policy Agent and Rego language components.

Having established the underlying infrastructure, we will look at several scenarios involving either misconfiguration or (potential) malice, and demonstrate appropriate admission control policies to combat them.

At the end of this talk, you will leave with: An overview of object creation in Kubernetes The basics of the Rego language (for writing admission controller policies) Sample admission controller policies for security and IT governance