Security best
practices for
deploying apps
to Kubernetes


Security best practices for deploying apps to Kubernetes

January 21, 2021 - by Jayalakshmi Elango | appeared on faun

Migrating to cloud-native technologies are the new norms for modern applications. To leverage these technologies, a transition to a container orchestration platform like Kubernetes is essential. A reliable, scalable, and secured environment is required when deploying to Kubernetes. In Nov 2019, CVE-2019–14271, a critical vulnerability issue found in docker file copy command, docker cp, leading the hacker to take control of the host, the full root access, and all the containers associated with it. To eliminate these kinds of security breaches while deploying apps to Kubernetes, we need to follow certain security best practices for seamless application delivery.

Role-Based Access Control (RBAC) through ‘Role Binding’

To secure Kubernetes clusters, following role-based access among different users to perform various tasks is crucial. RBAC and role binding creates ‘roles’ , a set of capabilities for specific users. For instance, some users may have permission to list the pod alone, whereas other users may have permission to get, watch, update, patch, or delete pods.

Capital One, one of the top 10 US retail banks, faced a challenge while building a provisioning platform to handle millions of transactions per day and protect confidential data from fraud detection and unauthorized users.

After moving to Kubernetes, Gasser, a Lead Software Engineer at Capital One, says how they managed to reduce the attack vulnerability profile for applications in the cloud, “Our entire clusters get rebuilt from scratch periodically, with new fresh instances and virtual server images that are patched with the latest and greatest security patches.”

Container Images: Manages vulnerability & provides a safe image.

A safe container image is an important metric for any Kubernetes clusters in production. One of the common myths of Kubernetes security deployments is, container images have lower security threats, but they’re liable to high risk if image security measures are overlooked. Any package could have a vulnerability discovered at any point in time, even if you picked a stack image from the official container registry maintained by direct vendors. These vendors will respond to relevant vulnerability disclosures on a timely basis and do rollout an update frequently.

The speed at which the respective vendors respond and apply the required update to the running & affected application is the key factor here. Enterprises must enforce the use of approved and trusted images, have them digitally signed & tracked throughout their lifecycle.

Network Policy: Protecting the Kubernetes apps with tight network policies

Network policies are Kubernetes resources that control the traffic between pods and network endpoints.

When deploying the cluster, one of the important network policies to follow is to restrict and minimize the ingress and egress access, respectively. However, when implementing the egress policies, extra care needs to be taken so it may not block connectivity to the Kubernetes DNS Service.

To enforce the network policies in Kubernetes, you must use CNI plugins that support the implementation of network policies. Following are some of the popular CNI plugins with network policy support: Weave, Calico, Flannel, Cilium to name a few.

Secrets: Protect your sensitive data

To secure the pods within the cluster, ‘secrets’ are used in Kubernetes. Proper secret management is the key to control access to containers and pods within Kubernetes. The secrets include sensitive information like passwords, SSH keys, certificates, OAuth Keys, API tokens.

Secrets should be audited and rotated periodically to limit unauthorized access. There has to be a strong authentication for Kubernetes container requests. Kubernetes applications need to be isolated from secrets because developers need not worry about managing the secrets. Consolidating & centralizing the secret management with a single tool instead of monitoring with various tools is the best approach.

Adobe uses ‘Vault’ as its centralized tool to protect their sensitive data across clouds and data centers. The container ecosystem is still maturing, though many legacy systems are moving towards Kubernetes and cloud-native applications.

The highlighted security guidelines are some of the key security factors implemented by major enterprises while deploying their apps to Kubernetes. However, this is not an exhaustive checklist but helps you get started quickly with proactive security measures. Kubernetes is a fast-growing platform in the cloud-native community; leverage it for building an effective Kubernetes ecosystem. Another optimal approach is to choose a Kubernetes deployment & management platform for a secure end-end app deployment.

Secure app delivery with K8s management platform