Securing the Kubernetes cluster


Today I’d like to talk about something very important, some steps to secure the Kubernetes cluster.

This article will cover only some features/improvements/setup on this layer, but of course, there is still a lot to learn on this.

  1. Prevent updating kubeadm, kubelet and kubectl

This command will prevent someone from accidentally updating the K8s binaries.

2. Enable the Kubelet to request a certificate from the ‘’ API.

This will prevent a new node to be joined to the cluster without authorization.

Create a file named kubeadm.yaml with the below content and initiate your cluster with this file.

Run the command below to check if you need to approve the certificate for a node.

As you can see this node has the status Pending

Run the below command to approve the certificate. Once it’s approved the node will joining to the cluster.

3. Checks whether Kubernetes is deployed securely

We can use the tool kube-bench from Aquasec

Run the below command to install it.

Run ./kube-bench to perform a security check.

As you can see there are a lot of settings to improve.

4. Encrypt the ETCD

By default, ECTD isn’t encrypted.

The first step is to generate a key with 32 digit numbers encoded with base64

Create a new file named encrypt.yaml and paste the secret key generated before.

Now edit the kube-apiserver.yaml file, located at /etc/kubernetes/manifests and add the below line.

- --encryption-provider-config=/etc/kubernetes/encrypt.yaml

Now, mount the volume, (same file kube-apiserver.yaml)

Now, mount the hostPath, (same file kube-apiserver.yaml)

5. Add the kubelet-certificate-authority to use the K8s CA

In the /etc/kubernetes/manifests/kube-apiserver.yaml file add the below line.

6. Trivy to scan images vulnerabilities

Trivy is a comprehensive and easy-to-use open-source vulnerability scanner for container images, file systems, and Git repositories, as well as for configuration issues.


7. Network policies

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster.

The example below will allow egress only through port 53.

The below network policy will control the access based on the tag run: allow

8. Falco

Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine.

For example, Falco can easily detect incidents including but not limited to:

  • A shell is running inside a container or pod in Kubernetes.
  • A container is running in privileged mode or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.
  • A privileged pod is started in a Kubernetes cluster.

Install Falco as specified here.

Once I run the command falco it’ll show a container that is running in privileged mode.

References and documentation