Since its inception, Kubernetes has increasingly become a popular open-source platform for managing containerized workloads and services. However, like any growing configuration and automation system, it can still be prone to certain insecurities. In fact, Kubernetes security can be more prone to attacks when it is set on the cloud.
Nevertheless, there are ways to make the workloads on this platform more secure and give you control on specific configurations.
1. Enable role-based access control (RBAC)
In Kubernetes deployment, avoid using namespaces as default, plan based on your workload permission needs, and enable RBAC.
Basically, when you do this, everything is denied by default. However, you can still define permissions to certain users who need access to the application programming interface (API). You can create roles and assign these users to those roles. You can also make cluster roles with permissions that apply to the namespaces.
2. Turn off privileged flag for containers
There is always a possibility that an attacker can still do some damage through your containers no matter how careful you are in your container orchestration. Because of the nature of Kubernetes and similar platforms, one could gain access to their underlying infrastructures. One way to prevent this is by turning off the privileged flag on your containers.
There are also secure profiling apps that you can use in securing your clusters, such as Seccomp, SELinux, and gVisor.
3. Disable public access to the API
Basically, you should avoid exposing your platform’s node to the web to ensure utmost Kubernetes security. As much as possible, only work with private nodes.
However, if you need to run the platform in the cloud, you can disable public access to the API. This is to prevent attackers to gain access to the API and obtain sensitive information. Aside from this, you can also utilize a load balancer or an API gateway and enable only the ports that you need to use.
4. Enable encryptions at rest
Enterprise Kubernetes uses etc, an open-source distributed key-value store, as the database to store objects on this platform. If an attacker can gain control of this store, they can have access to your information and use it in a negative way.