The 4C’s of Cloud Native Kubernetes security
You can think about security in layers. The 4C’s of Cloud Native security are Cloud, Clusters, Containers, and Code. Each layer of the Cloud Native security model builds upon the next outermost layer. The Code layer benefits from strong base (Cloud, Cluster, Container) security layers. You cannot safeguard against poor security standards in the base layers by addressing security at the Code level.
Cloud
In many ways, the Cloud is the trusted computing base of a Kubernetes cluster. If the Cloud layer is vulnerable (or configured in a vulnerable way) then there is no guarantee that the components built on top of this base are secure. Each cloud provider makes security recommendations for running workloads securely in their environment.
Infrastructure Security
Suggestions for securing your infrastructure in a Kubernetes cluster:
Cluster
There are two areas of concern for securing Kubernetes:
- Securing the cluster components that are configurable.
- Securing the applications which run in the cluster.
Depending on the attack surface of your application, you may want to focus on specific aspects of security. For example: If you are running a service (Service A) that is critical in a chain of other resources and a separate workload (Service B) which is vulnerable to a resource exhaustion attack, then the risk of compromising Service A is high if you do not limit the resources of Service B. Here is the list of the area of concern for Workload Security:
- RBAC Authorization (Access to Kubernetes API)
- Authentication
- Application secrets management (and encrypting them in etcd at rest)
- Ensuring that pods meet defined Pod Security Standards
- Quality of Service (and Cluster resource management)
- Network Policies
- TLS for Kubernetes Ingress
Container
Here are some general recommendations for securing containers:
Code
Application code is one of the primary attack surfaces over which you have the most control. While securing application code is outside of the Kubernetes security topic, here are recommendations to protect application code:
More Kubernetes Security topics that might be interesting: