Kubernetes security

In recent times organizations are migrating from on-premise to cloud, owing to the multi-dimensional nature of today’s cloud-native technology landscape. Due to this, it is easier than ever to build and deploy application environments quickly through containerization which has resulted in 45.6% of enterprises to use Kubernetes in their production environments, it is important for us to know how to secure it.

Let's Talk about why it is difficult

According to this analysis, security is one of the hardest challenges of running Kubernetes. There are numerous moving layers in the cloud-native stack, hence we may not focus on security early on. By default, some distributions of Kubernetes may not secure.

Prevention and Detection

This has unfolded rampant increase in cyber attacks on the cloud. To mitigate this, we have to secure all the pods and containers which are simple platforms just like Windows or Linux or a MySQL database and are only as secure as you make it. There are some flaws in every system, including Kubernetes and Docker, but these security issues are caused directly or indirectly by the users and their applications. Kubernetes provides each pod in a cluster its own IP address and consequently, IP-based security is required. Moreover, cluster security demands:

  • Network policies
  • Access policies for individual pods
  • RBAC and namespace access policies, etc

KubeArmor is an open-source tool that was created by AccuKnox and is available on GitHub. It will operate with LSMs (Linux security modules) allowing it to run on top of any Linux platforms such as Alpine, Ubuntu, and Container-optimized OS from Google. KubeArmor will automatically detect the changes in security policies and it will be imposed on the respective containers without any human intervention. If there are any violations against security policies, KubeArmor immediately generates audit logs with container identities. KubeArmor provides a relay service that can be connected to if the user wants to connect the KubeArmor feeds for SIEM integration.

Functionalities of KubeArmor include:

  • Restricting the behavior of containers at the system level
  • Enforcing security policies to containers in runtime
  • Produce container-aware audit logs
  • Provide easy-to-use semantics for policy definitions

Setting KubeArmor up on Kubernetes

Prerequisite: We need a working Kubernetes setup for this. We can use a cloud Kubernetes offering GCP or set yourself locally using minikube. If you are using minikube then we also require kubectl. The daemon-set has to be installed as part of the kube-system namespace thus giving it the rights to watch all the system events.

Commands to install:

Step #1: Deploy KubeArmor for GKE:

kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/master/deployments/GKE/kubearmor.yaml

With this KubeArmor should be running, to verify, you will see the pods you created in a moment.

Before applying the security policy to the container or pod the annotations should be added to the deployment, under the metadata Sample deployment with annotations.

Here is an example of a security policy which is to block a process execution of the sleep command. When you apply the policy it will block this particular command, we can get the audit logs of that security policy.

[caption id="attachment_6032" align="aligncenter" width="1024"]

KubeArmor Security Policy to block sleep command in containers during runtime.[/caption]

Find more about this on “Sample deployment of Multiubuntu with KubeArmor”.

Conclusion

In this blog, we looked at the basics of Kubernetes security monitoring and how to set up the KubeArmor on Kubernetes which automatically detects the changes in security policies and enforces them on the respective containers without any human intervention, and sends the audit logs to their system admins.