We just wrapped up securing the Pod in the previous chapter; now we’ll cover securing the Kubernetes node. In this chapter, we’ll include more information about node security as it relates to possible attacks on nodes and Pods, and we’ll provide full examples with a number of configurations.
Securing a node in Kubernetes is analogous to securing any other VM or data center server. We’ll cover Transport Layer Security (TLS) certificates to start. These certificates allow for securing nodes, but we’ll also look at issues related to image immutability, workloads, network policies, and so on. Treat this chapter as an à la carte menu of important security topics that you should at least consider for running Kubernetes in production.
All external communications in Kubernetes generally occur over TLS, although this can be configured. However, there are many flavors of TLS. For this reason, you can select a cipher suite for the Kubernetes API server to use. Most installers or self-hosted versions of Kubernetes will handle the creation of the TLS certificates for you. Cipher suites are collections of algorithms that, in aggregate, allow for TLS to happen securely. Defining a TLS algorithm consists of