Security
最后更新于
最后更新于
When considering safety from a security perspective, Kubernetes includes potential attack vectors as shown in the image below:
(Image from "Kubernetes Security - Operating Kubernetes Clusters and Applications Safely")
To ensure the security of the cluster and containerized applications, Kubernetes offers a plethora of security mechanisms. These mechanisms restrict container behavior, minimize the attack surface of containers and clusters, thereby safeguarding the integrity of the entire system.
Cluster Security, for instance, involves components (such as kube-apiserver, etcd, kubelet, etc.) only exposing secure APIs and initiating TLS authentication, and enabling RBAC; Security Context: Restricting container behavior, including Capabilities, ReadOnlyRootFilesystem, Privileged, RunAsNonRoot, RunAsUser, and SELinuxOptions, among others; Pod Security Policy: Cluster-level Pod security policies that automatically set the Security Context for Pods and Volumes within the cluster; Sysctls: Allowing containers to set kernel parameters, subdivided into Safe Sysctls and Unsafe Sysctls; AppArmor: Restricting application access permissions; Network Policies: Finely controlling network access for container applications and within the cluster; Seccomp: An abbreviation for Secure computing mode, which limits the system calls that container applications can execute.
In addition, it is recommended to use newer versions of Kubernetes, as they usually contain fixes for common security issues. You can refer to kubernetes-announce for the latest Kubernetes release information or to cvedetails.com to review the CVE (Common Vulnerabilities and Exposures) list for each version of Kubernetes.
Kubernetes components (such as kube-apiserver, etcd, kubelet, etc.) only expose secure APIs and initiate TLS authentication.
Enable RBAC authorization, granting container applications the least privileges, and enable NodeRestriction admission control (to limit Kubelet permissions).
When there are too many RBAC rules or they fail to meet actual needs, it's recommended to use Open Policy Agent (OPA) to configure more flexible access policies.
Enable encrypted storage of Secrets (Secret Encryption) and configure TLS authentication for etcd;
Prohibit anonymous access and read-only ports of Kubelet, and initiate certificate rotation updates for Kubelet (Certificate Rotation).
Disable the default ServiceAccount's automountServiceAccountToken, and create specific ServiceAccounts for container applications when necessary.
Prohibit anonymous access to the Dashboard, restrict Dashboard access through RBAC, and ensure that the Dashboard can only be accessed over an internal network (via kubectl proxy).
Run CIS Kubernetes Benchmark regularly to ensure that the cluster's configuration or updates comply with the best security practices (using kube-bench and kube-hunter).
In multi-tenant scenarios, containerization processes can be strongly isolated using Kata Containers, gVisor, etc., or communication between container applications can be automatically encrypted using Istio, Linkerd, etc.
To ensure TLS security and avoid Zombie POODLE and GOLDENDOODLE Vulnerabilities, disable the CBC (Cipher Block Chaining) mode for TLS 1.2.
You can test TLS security issues with https://www.ssllabs.com/.
For a complete reference, see here.
Sysctls allow containerized applications to set kernel parameters, which are categorized into Safe Sysctls and Unsafe Sysctls:
Safe Sysctls: Kernel options that do not affect other Pods after being set and only act within the container namespace, enabled by default. These include:
kernel.shm_rmid_forced
net.ipv4.ip_local_port_range
net.ipv4.tcp_syncookies
Unsafe Sysctls: Kernel options that may affect other Pods and other services on the Node after being set, disabled by default. If used, administrators need to enable them during kubelet configuration, e.g. kubelet --experimental-allowed-unsafe-sysctls 'kernel.msg*,net.ipv4.route.min_pmtu'
Sysctls upgraded to Beta status in v1.11 and can be set directly through PSP specs, like so:
For versions v1.10 and earlier at the Alpha stage, they must be set through Pod annotations, such as:
AppArmor (Application Armor) is a security module in the Linux kernel that allows system administrators to associate each program with a security configuration file, thus limiting the program's capabilities. It specifies which files a program may read, write, or execute, and whether it can open network ports, among other things. As a supplement to the traditional Unix discretionary access control modules, AppArmor provides a mandatory access control mechanism.
Before using AppArmor, you should note that:
Kubernetes version >=v1.4
The apiserver and kubelet have enabled the AppArmor feature, --feature-gates=AppArmor=true
The AppArmor kernel module is enabled, check with cat /sys/module/apparmor/parameters/enabled
Only supports docker container runtime
AppArmor profiles are already loaded into the kernel, check with cat /sys/kernel/security/apparmor/profiles
AppArmor is still in the alpha stage and requires setting via Pod annotation container.apparmor.security.beta.kubernetes.io/<container_name> with possible values:
runtime/default: Use the default configuration of the Container Runtime
localhost/<profile_name>: Use an AppArmor profile that has been loaded into the kernel
Seccomp stands for Secure computing mode, which is an operation provided by the Linux kernel to limit the system calls a process is allowed to perform. Seccomp requires a configuration file that delineates the system calls permitted and prohibited for container processes.
In Kubernetes, seccomp configuration files should be placed in the /var/lib/kubelet/seccomp directory (modifiable via the kubelet option --seccomp-profile-root). For instance, to disable chmod:
Seccomp is still in the alpha stage and must be set through Pod annotations, including:
security.alpha.kubernetes.io/seccomp/pod: Applies to all containers in the Pod
security.alpha.kubernetes.io/seccomp/container/<container name>: Applies to a specified container
And the value options are:
runtime/default: Use the default configuration of the Container Runtime
unconfined: Allows all system calls
localhost/<profile-name>: Use seccomp installed locally on the Node, placed in the /var/lib/kubelet/seccomp directory
For example, using the seccomp configuration created above:
kube-bench provides a straightforward tool to check if Kubernetes configuration (including master and node) aligns with security best practices (based on CIS Kubernetes Benchmark).
It’s recommended that all production Kubernetes clusters run kube-bench regularly to ensure cluster configurations meet best security practices.
Installing kube-bench:
Of course, kube-bench can also be run directly within containers. Standard commands for checking Master and Node respectively usually are:
Clair is an open-source container security tool by CoreOS that statically analyzes images for potential security vulnerabilities. It is recommended to integrate Clair into DevOps processes to automatically scan all images for security concerns.
The method to install Clair is as follows:
The Clair project itself only provides an API, so in practice, it requires a client (or service integrating Clair) for usage. For instance, using reg would be as follows:
trivy is an open-source container vulnerability scanner by Aqua Security. Trivy is simpler to use compared to Clair, which makes it more convenient for integration into CI workflows.
Other image security scanning tools include:
Open-source products:
falco: Container runtime security monitoring tool.
docker-bench-security: Security audit tool for Docker environments.
kube-hunter: Kubernetes cluster penetration testing tool.
Commercial products:
