Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ideas] Security notes compiled from various sources (links included) #1

Open
56 tasks
nazarewk opened this issue Apr 5, 2018 · 0 comments
Open
56 tasks

[ideas] Security notes compiled from various sources (links included) #1

nazarewk opened this issue Apr 5, 2018 · 0 comments

Comments

@nazarewk
Copy link

nazarewk commented Apr 5, 2018
edited
Loading

Here we go with my loose notes about Kubernetes security, there is some overlap with existing document.

Overview

  • RBAC enabled,
  • default-deny-ingress NetworkPolicy,
  • default-deny-egress NetworkPolicy,
  • Helm security

Online resources

Checklists for online resources on security.

Security problems of Kops default deployments

  1. No RBAC by default
  • installed rbac
  1. Kubelet does not enforce authorization
  • egress blocked through NetworkPolicy,
  • #3891,
  1. AWS Metadata API is reachable
  • kube2iam installed

Improving the Default Security Posture Through Defense in Depth

Post-Container Compromise Issues

  1. Default Namespace Tokens Have Full Privileges
  • RBAC enabled
  1. Unprotected Kubernetes Dashboard and Other kube-system Add-ons
  • limited kubernetes-dashboard privileges
  • internal access blocked using default-deny
  1. Kubelet Does Not Enforce Authorization (aka Kubelet-Exploit)
    • default-deny-egress NetworkPolicy
    • --anonymous-auth=false
    • default-deny-ingress NetworkPolicy
    • --authorization-mode=Webhook
  2. Unprotected Etcd/Calico-Etcd Endpoints
  • TLS enabled through kops spec.etcdClusters[*].enableEtcdTLS
  1. Direct Access to Cloud Instance Metadata APIs
  • kube2iam,
  • NetworkPolicy is not blocking access to cluster-external address,
  1. Permissive Metadata IAM Role Policies (AWS)

Additional considerations

  1. PodSecurityPolicy
  • not addressed
  1. NetworkPolicy
  • default-deny-ingress NetworkPolicy
  • default-deny-egress NetworkPolicy
  1. Admission Controllers
  • not addressed

7. Exposed /metrics APIs Allow for Pod/Svc Enumeration

Prevented using default-deny-ingress.

Securing a Cluster

  • Controlling access to the Kubernetes API
    • Use Transport Level Security (TLS) for all API traffic
      • kops
    • API Authentication (above ServiceAccount)
    • API Authorization
      • Node + RBAC
  • Controlling access to the Kubelet
    • egress blocked,
    • anonymous access blocked,
    • authentication configured
    • authorization configured
  • Controlling the capabilities of a workload or user at runtime
    • Limiting resource usage on a cluster
    • Controlling what privileges containers run with
      • PodSecurityPolicy
      • non-root users in applications
    • Restricting network access
      • default-deny-ingress NetworkPolicy
      • default-deny-egress NetworkPolicy
    • Restricting cloud metadata API access
      • kube2iam
    • Controlling which nodes pods may access
  • Protecting cluster components from compromise
    • Restrict access to etcd
    • Enable audit logging
    • Restrict access to alpha or beta features
    • Rotate infrastructure credentials frequently
    • Review third party integrations before enabling them
    • Encrypt secrets at rest
    • Receiving alerts for security updates and reporting vulnerabilities

Additional tasks

  • lock-down kube-system namespace with NetworkPolicies
  • encrypted by default StorageClass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nazarewk