Kubernetes 101 : Securing Kubernetes and the API-server
The API-server could be considered as the heart of the kubernetes cluster, it is also the gate into the cluster.
Below are some of the steps that could be done to secure the Api-server and the kubernetes cluster:
Rejecting anonymous requests using the "--anonymous-auth=false".
Avoiding the use of basic authentication "--basic-auth-file" for the Api-server.
Using the "--tls-min-version" parameter that tells kubernetes about the minimum version of TLS that should be used, for example:
Not using tokens for authentication "--token-auth-file", we could use certificates which are more secure than token-based authentication.
Using the secure HTTPS protocol through the parameter "'--kubelet-https".
And checking if the "--kubelet-https" is not set to false.
If we don't find it in the list, it means that it is set to true - it is by default -.
Using the "--enable-admission-plugins" parameter to enable admission controllers beyond the default ones to increase security:
Using the AlwaysPullImages admission controller to make sure we are going to use the original image from the repository:
- --enable-admission-plugins AlwaysPullImages
Adding the SecurityContextDeny admission controller to keep the pods from escalating their privileges.
Not using the "--authorization-mode=AlwaysAllow", so that only users who have the right privileges could have access to "privileged" functions.
We could use RBAC instead, for example:
Making sure the the kubelet's communications are secure using the HTTPS protocol through the below parameters:
Checking if the tokens for the different accounts exist in by setting the "--service-account-lookup" parameter to true.
We could also check if advanced auditing is enabled through the "--feature-gates" parameter, so that we could use logs to detect security issues in the cluster.
Advanced auditing is enabled by default in the latest versions of kubernetes.
Securing the communication with the kubernetes database server etcd by using certificate-based authentication through the below parameters:
We could use different TLS suites for securing the API-Server's communications using the "--tls-cipher-suites" parameter.
Some example of these suites are as below:
We could use the "--service-account-key-file" parameter which function is to check ServiceAccount tokens.