Skip to main content
banner image
venafi logo

What Security Controls Do I Need for My Kubernetes Cluster?

What Security Controls Do I Need for My Kubernetes Cluster?

July 19, 2022 | Anastasios Arampatzis

The adoption of Kubernetes and container-based platforms increases the need for security to protect cloud-first initiatives. An essential component of the Kubernetes security is authentication. Kubernetes clusters are machines and always need to be validated via machine identities to ensure the integrity and confidentiality of communications.

Tale of 3 Clouds eBook: How Venafi Creates Digital Transformation
With increased adoption, heightened risks

The majority (88%) of IT decision makers are exploring Kubernetes and containers, according to 2021 data from New Relic. However, as with any technology, new security concerns are emerging.

A Red Hat survey of Kubernetes adoption and security showed that

  • 55% of DevOps teams delayed an application release due to security issues
  • 93% of developers experienced at least one Kubernetes security incident in the past year
  • 46% say misconfiguration is the top security concern

The main risks facing Kubernetes production environments can be summarized in the bullets below:

  • Compromised images. Images should always be scanned before being used to create containers in a Kubernetes cluster - this avoids tampering. To ensure the security of images, organizations should implement strong governance policies that ensure images are securely built and stored in trusted registries.
  • Compromised containers or malicious traffic. Containers and pods need to communicate with each other as part of normal operations. However, this communication can be exploited by threat actors. A breached container can affect other containers and pods.
  • Lack of visibility. Visibility is critical to ensure Kubernetes clusters are secured. However, it can be challenging to gain and maintain visibility in containerized environments because of the large number of containers, the dynamic and ephemeral nature of these containers and their deployment across multi-cloud environments.
  • Misconfigurations or use of insecure defaults. While Kubernetes provides a wide range of controls that can help organizations effectively secure clusters and applications, it does not provide secure configurations out of the box to cover all communications. Misconfiguration of secrets management is another concern. Secrets define how sensitive information, like keys and credentials, is accessed and stored. Many developers use secrets as environment variables or hardcoded within images making them vulnerable to attacks. Secrets should be managed with careful access control to protect them from unauthorized parties.
  • Compliance. Achieving compliance in cloud-native environments is a highly challenging endeavor. To achieve compliance, organizations are usually required to implement certain security measures. This often requires enforcing best practices, benchmarks, and industry standards, as well as internal organizational policies.
Authenticate your K8s clusters with machine identities

To address the above challenges, organizations are required to implement a series of policies and controls to secure their clusters. These controls include defining a network policy, pod security policy and managing the Kubernetes secrets. Besides these important controls, organizations must focus their efforts on controlling access to their clusters. The primary access point for a Kubernetes cluster is the Kubernetes API, therefore we need to authenticate and authorize both developers and services accessing the API. Controlling and limiting who can access the cluster and what actions they are allowed to perform is the first line of defense.

TLS all your API traffic

Kubernetes expects that all API communication in the cluster is encrypted by default with TLS. The majority of cluster installation methods allow the necessary certificates to be created and distributed to the cluster components.

API authentication

API authentication covers both humans and clients accessing the API. For the human side of authentication, you must choose strong verification, based on multifactor authentication methods. The concept of least privilege is extremely crucial. Besides humans, you must also authenticate all API clients, even those that are part of the infrastructure like nodes, proxies, the scheduler, and volume plugins. These clients are typically service accounts or use X.509 client certificates, and they are created automatically at cluster startup or are setup as part of the cluster installation. Setting up an effective, flexible and scalable machine identity management program is the cornerstone of validating the authenticity of these machines.

API authorization

Once authenticated, every API call passes an authorization check. Kubernetes ships an integrated Role-Based Access Control (RBAC) component that matches an incoming user or group to a set of permissions bundled into roles. These permissions combine verbs (get, create, delete) with resources (pods, services, nodes) and can be namespace-scoped or cluster-scoped. As with authentication, simple and broad roles may be appropriate for smaller clusters, but as more users interact with the cluster, it may become necessary to separate teams into separate namespaces with more limited roles.

The solution to overcome many of these challenges is to employ a common service for certificates via an API that is integrated with DevOps tooling. Venafi-as-a-Service integrates seamlessly with Kubernetes and Jetstack cert-manager to improve security and availability of your clusters, ensure compliance, and accelerate software development by reducing complexity. Combining the functionality and efficiency of Venafi and cert-manager allows DevOps engineers to extend the functionality of various different CA’s within Kubernetes with just one integration.

Start your free trial today and begin your path to securing your containerized applications and multi-cloud environments.

Related Posts

Like this blog? We think you will love this.
Featured Blog

How to Stop Outages in Your Kubernetes Clusters [Case Study]

InfoSec vs platform development teams

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more