Side Gadgets

Kubernetes 101 : Securing Kubernetes and the API-server


ByPosted at
Share

The API-server could be considered as the heart of the kubernetes cluster, it is also the gate into the cluster.

Below are some of the steps that could be done to secure the Api-server and the kubernetes cluster:

Rejecting anonymous requests using the "--anonymous-auth=false".
 
Avoiding the use of basic authentication "--basic-auth-file" for the Api-server.

Using the "--tls-min-version" parameter that tells kubernetes about the minimum version of TLS that should be used, for example:
  • VersionTLS11
  • VersionTLS12
  • VersionTLS13
Not using tokens for authentication "--token-auth-file", we could use certificates which are more secure than token-based authentication.

Using the secure HTTPS protocol through the parameter "'--kubelet-https". 
We could check that by using the below command:


And checking if the "--kubelet-https" is not set to false.

Remark:

If we don't find it in the list, it means that it is set to true - it is by default -.

Using the "--enable-admission-plugins" parameter to enable admission controllers beyond the default ones to increase security:


Using the AlwaysPullImages admission controller to make sure we are going to use the original image from the repository:
  • --enable-admission-plugins AlwaysPullImages
Adding the SecurityContextDeny admission controller to keep the pods from escalating their privileges.

Not using the "--authorization-mode=AlwaysAllow", so that only users who have the right privileges could have access to "privileged" functions.
We could use RBAC instead, for example:
  • --authorization-mode=RBAC
Making sure the the kubelet's communications are secure using the HTTPS protocol through the below parameters:
  • --kubelet-client-certificate
  • --kubelet-client-key
Checking if the tokens for the different accounts exist in by setting the "--service-account-lookup" parameter to true.

We could also check if advanced auditing is enabled through the "--feature-gates" parameter, so that we could use logs to detect security issues in the cluster.

Remark:

Advanced auditing is enabled by default in the latest versions of kubernetes.

Securing the communication with the kubernetes database server etcd by using certificate-based authentication through the below parameters: 
  • --etcd-certfile 
  • --etcd-keyfile
We could use different TLS suites for securing the API-Server's communications using the "--tls-cipher-suites" parameter.
Some example of these suites are as below:
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
We could use the "--service-account-key-file" parameter which function is to check ServiceAccount tokens.
Post a Comment
Labels
Random thoughts, and observations about our daily lives, to make us reflect about life in general.

Comments

Leave as a comment:

Archive