Kubernetes has made it more straightforward than ever to build and deploy application environments quickly via containerization. However, with that convenience comes an extra issue – how to secure all your new pods and containers. You cannot simply apply a blanket rule such as 'Deny access from external,' because sometimes, some of your applications/ pods may require this external access.
It is also important to note that Kubernetes is inherently neither secure nor insecure. It is simply a platform, and that platform, just like Windows or Linux or a MySql database, is only as secure as you make it. There are, of course, flaws in every system, including Kubernetes and Docker, but in most cases, critical security issues are caused directly or indirectly by the users and their applications.
By default, Kubernetes provides each pod in a cluster its own IP address and, with that, a very basic level of IP-based security. However, several aspects of your clusters still require other forms of security and lockdown - network policies, access policies for individual pods, RBAC and namespace access policies, and so on. It is important to note that Kubernetes, like any other complex platform, will almost always have a list of vulnerabilities and bugs that can compromise its security.
Sounds daunting, right? Well, have no fear. There are many great, mostly open-source tools to help you manage and keep track of these security-related issues. Let's take a look at some of the most useful and commonly-used such tools:
Kube-bench, from the Center for Internet Security (CIS), is an excellent tool that checks if your Kubernetes cluster and nodes meet CIS's benchmarks. CIS is the semi-regulatory industry body that provides guidelines and benchmarking tests for writing secure code.
Kube-bench is available on Github. It is extra-useful because apart from highlighting non-compliant areas of your Kubernetes environment, it also gives you solutions and suggestions on how to fix them. In a nutshell, Kube-bench checks to ensure that user authorization and authentication are in accordance with the CIS guidelines, that the Kubernetes deployment follows the principle of least privilege, and that data is encrypted both at rest and also in transit.
Kube-hunter is a utility created by Aqua Security and is available on Github. It systematically trawls through your Kubernetes cluster and hunts down security threats. It enables admins to pinpoint vulnerabilities before attackers can exploit them. Kube-hunter works particularly well when paired with Kube-bench since the former's discovery and penetration testing capabilities enhance the CIS validation points from Kube-bench. You can think of Kube-hunter as a Kubernetes-specific automated penetration tester.
This open-source solution is not specific to Kubernetes, and it's mainly a networking technology but can be used for security purposes. It actually works on a wide range of platforms – Kubernetes, Docker enterprise, OpenStack, and even bare-metal services. Calico works by essentially creating a micro-firewall for every workload and applying and rendering predefined connectivity policies into rules on each micro-firewall.
Interestingly, by creating a firewall at the workload level, Calico can even manage and route pod-specific network traffic on individual network routers and switches.
Istio is an open-source service mesh that allows you to control, connect, and secure your services on Kubernetes. It provides functionality such as automatic load balancing, fine-grained traffic control, automatic metrics, logs collections, and secure service-to-service communication within a cluster.
Kubeaudit is a command-line-only tool used to audit clusters by checking them against predefined security checks. Some of these checks are: whether or not the 'root' account is disabled, whether or not the system allows privilege escalation, and if any Kubernetes images have incorrect tags.
Neuvector is a security suite compatible with both Kubernetes and OpenShift. Its main features are full-lifecycle container security and container-level network security. NeuVector offers plugins to integrate with clusters created on the major cloud platforms – AWS, Azure, Google Cloud, and even IBM and Alibaba cloud.
The NeuVector solution is itself delivered as a container that deploys easily on each host. It then creates a container firewall, host monitoring and security, security auditing with CIS benchmarks, and a vulnerability scanner.
Audti2rbac is a useful tool that generates RBAC (Role-Based Access Control) policies from your Kubernetes audit logs. You first need to enable auditing in your Kubernetes cluster and then call audit2rbac. The tool will then use the Kubernetes audit log generated to create an RBAC role and all affected objects.
Illuminatio is a network policy validator tool from German vendor Inovex. Network policy validation is basically checking and confirming the functionality of your cluster's firewall. When started, Illuminatio runs a scan on your Kubernetes cluster for all network policies, builds quick test cases for each policy, and executes the cases to determine if the policies are really effective and working as defined.
It is important to validate your network policies, not simply assume that they have been defined and therefore implemented. Sometimes network policies are declared but not enforced, especially when some individual nodes in your cluster have not yet synchronized their network policies to the overall cluster- defined policies in time.
Twistlock is another full-featured monitoring solution for Kubernetes, although it can also be used for several other platforms due to its cloud-native and API-enabled nature. It can be set up to continually monitor up to 200 built-in CIS benchmarks in your Kubernetes apps for vulnerability and compliance issues. And this can be done on the base host/ machine as well as Kubernetes containers and images. Note that Twistlock is not an open-source tool; it is only free for a trial basis or for a single, standalone cluster.
Kubesec.io is an open-source security analysis tool that scans and then assigns scores to your Kubernetes resources (deployments and pods) against a predefined list of security features. It helps to verify and align resource configurations to Kubernetes security best practices.
As we have seen, Kubernetes is an 'open book' when it comes to security – it is up to you to configure and define it, balancing between the often-competing requirements of access vs. security. The security and monitoring tools listed above are great for ensuring your Kubernetes clusters are as secure as possible. But also keep in mind that another viable alternative, when you do not want to worry about setting up and managing security for your Kubernetes setup, is to utilize a preconfigured environment such as Cloudplex.