Kubernetes is a popular orchestration platform for multi-cloud applications that need to be deployed with versatile scalability. The adoption of cloud Kubernetes services has been steadily increasing over the past few years. But as more companies implement open source software, security emerges as a critical point of interest.
In March 2019, the high and medium severity issues, CVE-2019-1002101 and CVE-2019-9946, were discovered. These vulnerabilities can allow attackers to edit code on any path of the user's machine or delete and replace files in the tar-binary container.
These two followed closely on the discovery of the runC vulnerability that can enable an attacker to acquire root privileges in a container environment. Given such concerns, Kubernetes security should be a priority for all operations in cloud-native application development.
The Kubernetes Architecture
Google initially developed this open-source and portable platform for managing containerized workloads. The Cloud Native Computing Foundation is now the body in charge of Kubernetes. The software does not discriminate between hosts, any host by a cloud provider or a single-tenant server can be utilized in Kubernetes.
The platform interfaces a cluster of virtual machines using shared networks for server-to-server communication. In this cluster, all Kubernetes capabilities, components, and application lifecycles can be configured. This is where you can define how your applications run and how they can be configured.
The Kubernetes ecosystem has a master server that exposes an API for users and provides methods for container deployments and cluster administration. The other machines in the cluster are the slave servers or nodes that dedicatedly run the containers delegated by the master.
Kubernetes Security Risks
The security challenges and vulnerabilities on a multi-cloud Kubernetes architecture include:
- Unvetted images
Misused images pose a significant security risk on the containerization platform. Organizations must ensure that only vetted and approved images registries run and that there are robust policies on vulnerability severities, malware, and image configurations.
- Attackers listening on ports
Containers and pods must talk to each other in a Kubernetes ecosystem. It can be easier for attackers to intrude on this communication by listening to distinctive ports. It's critical, therefore, to monitor multi-directional traffic for all signs of breaches. Consider vendors that provide a Kubernetes load balancer service during deployment. How a breach spreads from one container to the other depends on how broadly it communicates with the other containers.
- Kubernetes API is exposed
The API service in Kubernetes is the front door to each cluster. Because this API is needed for management, it is always exposed during Kubernetes deployment. Robust role-based access authentication is needed, along with policies for managing kubectl command operations. The best access control system leverages Kubernetes webhook admission controller for attaining upstream computability in Kubernetes implementation.
- Hackers can execute code in your container
The Kubelet API, used for managing containers on separate nodes in clusters, has no access authentication. Attackers can use this as a gateway to execute codes in your container, delete files, or overrun your cluster. Incidences of Kubelet exploits have been on the increase since 2016.
- Compromised containers lead to compromised clusters
When an attacker achieves a remote code execution within a node, then automatically, clusters become susceptible to attacks. These attacks propagate in cluster networks targeting both nodes and pods. Organizations need Intrusion Detection Systems (IDS), preferably the types that combine anomaly and signature-based mechanisms. Many vendors provide IDS capabilities as part of their software suites.
What Measures to Take?
AWS solves the Kubernetes security complexity with policy-driven controls based on native Kubernetes capabilities, run time protection, network security control, and service and image assurance. The EKS load balancer provides for traffic observability, while they have EKS security policies for access control and compliance checks. The elastic cloud on Kubernetes also has CI/CD pipelines that are benchmarked with internal and external policy frameworks and guided by the AWS global network security procedures.
The Azure Kubernetes service has similar security concepts for nodes and clusters in the orchestration platform. To the native Kubernetes security components, AKS Kubernetes adds orchestrated cluster patches and network security groups. You can strengthen access control on your master API server with the Azure Active Directory that's integrable with AKS services.
GCP leverages the principle of least privilege in access control on Kubernetes workloads. You can use the Google Cloud Service Account to manage and configure Kubernetes security through RBA. The vendor similarly offers protection through a load balancer service, network policies, Cloud IAM, and Cloud Audit Logging.
Kubernetes as a service allows for the deployment and management of cloud-native apps in a scalable manner. This is a fast-growing technology, but it's also fraught with complexities that can compromise security.
At Cloudride, we will help you find a cloud Kubernetes solution that solves your business challenges with regards to security and cost-efficiency. We specialize in MS-AZURE, AWS, GCP, and other ISVs.
Contact us to learn more.