Kubernetes Security Best Practices: From Hosting to Deployment

Everyone’s talking about Kubernetes these days because of the role it plays in deploying highly scalable and dynamic application environments.

Unfortunately, what people are not talking about as much is Kubernetes security. While there are a few Kubernetes security resources out there (such as some basic security tips in the Kubernetes documentation), they’re few and far between.

In this post, I’d like to offer some additional Kubernetes security best practices. They reflect my real-world experience using Kubernetes in production, and include consideration of securing both Kubernetes itself and an application that is deployed using Kubernetes.

Kubernetes Security: Host

The foundation of any good security profile is a secure operating system running on the host. The best practice is to use a proven operating system and stay current on its patches, and apply recommended security hardening through the use of tools like OpenSCAP, or follow the checklists manually which are produced by organizations like NIST. Ideally, the operating system that underpins the running containers is optimized for a container environment by stripping out all non-essential elements. A great example is RancherOS. It was designed from the ground up to run containers and nothing else.

In reality, for most enterprises to follow best practices around the host, they are implementing their Kubernetes environments on top of full-featured, general-purpose operating systems like Microsoft Windows DataCenter and Red Hat Enterprise Linux, as they have existing procedures and tools to both patch and monitor the operating systems.

Kubernetes Security: Network

One of the main reasons that Kubernetes was such an innovative product was how it handled the network layer. As opposed to using NAT on each host like the first-generation Docker containers, Kubernetes exposed a unique address IP to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-security-best-practices

Gabriel Avner

Gabriel Avner

Gabriel is a former journalist who loves learning and writing about the cat and mouse game of security. These days he writes for WhiteSource about the issues impacting open source security and license management and training Brazilian Jiu-Jitsu.

gabriel-avner has 14 posts and counting.See all posts by gabriel-avner