14 Nodes and Kubernetes security

 

This chapter covers

  • Node hardening and Pod manifest
  • API server security, including RBAC
  • User authentications and authorization
  • The Open Policy Agent (OPA)
  • Multi-tenancy in Kubernetes

We just wrapped up securing the Pod in the previous chapter; now we’ll cover securing the Kubernetes node. In this chapter, we’ll include more information about node security as it relates to possible attacks on nodes and Pods, and we’ll provide full examples with a number of configurations.

14.1 Node security

Securing a node in Kubernetes is analogous to securing any other VM or data center server. We’ll cover Transport Layer Security (TLS) certificates to start. These certificates allow for securing nodes, but we’ll also look at issues related to image immutability, workloads, network policies, and so on. Treat this chapter as an à la carte menu of important security topics that you should at least consider for running Kubernetes in production.

14.1.1 TLS certificates

All external communications in Kubernetes generally occur over TLS, although this can be configured. However, there are many flavors of TLS. For this reason, you can select a cipher suite for the Kubernetes API server to use. Most installers or self-hosted versions of Kubernetes will handle the creation of the TLS certificates for you. Cipher suites are collections of algorithms that, in aggregate, allow for TLS to happen securely. Defining a TLS algorithm consists of

14.1.2 Immutable OSs vs. patching nodes

14.1.3 Isolated container runtimes

14.1.4 Resource attacks

14.1.5 CPU units

14.1.6 Memory units

14.1.7 Storage units

14.1.8 Host networks vs. Pod networks

14.1.9 Pod example

14.2 API server security

14.2.1 Role-based access control (RBAC)

14.2.2 RBAC API definition