Cloud Native & Kubernetes articles
Cloud Native Security for your Kubernetes Cluster
The Cloud Native security model requires injecting security into four logical phases of cloud-native application lifecycle including: Development, Distribution, Deployment, and Runtime.
Ensuring the Cloud-native application artifacts are securely developed and distributed is necessary for, enabling workloads in Kubernetes environment to run “secure by default”.
Throughout all phases of the Cloud-native application life cycle, several complementary security controls exist for Kubernetes orchestrated workloads, which includes but are not limited to:
Development:
Ensure Image signing and verification
Ensure Image vulnerability scanners
Distribution:
Implement Pre-deployment checks for detecting excessive privileges
Enable observability and logging
Deployment:
Leverage a service mesh for workload authentication and authorization
Enforce “default deny” network policies for inter-workload communication via network plugins
Runtime:
Deploy security monitoring agents for workloads
Isolate applications that run on the same node using SELinux, AppArmor, etc.
Scan configuration against recognized secure baselines for node, workload and orchestrator
Kubernetes native security controls
Pod Security Policies
Resource requests and limits
Audit log analysis
Control plane authentication and certificate root of trust
Secrets management
How to secure Kubernetes:
Implement TLS everywhere
Enable RBAC with latest Privilege, Disable ABAC and monitor logs
Use Third-party Auth for API server
Separate and firewall your etcd cluster
Rotate encryption keys
Use Linux security features and Pod security policies
Statically analyze YAML
Run containers as non-root user
Use Network Policies
Scan images and Run IDS
Run a service mesh
Read more here: https://kubernetes.io/blog/2020/11/18/cloud-native-security-for-your-clusters/