Professional Documents
Culture Documents
Search
Securing a Cluster
Home
This document covers topics related to protecting a cluster from accidental or malicious access
Getting started and provides recommendations on overall security.
Concepts
Tasks
Install Tools Before you begin
Administer a
You need to have a Kubernetes cluster, and the kubectl command-line tool must be
Cluster
con gured to communicate with your cluster. If you do not already have a cluster, you can
Administration create one by using minikube or you can use one of these Kubernetes playgrounds:
with kubeadm
Katacoda
Migrating from
dockershim Play with Kubernetes
To check the version, enter kubectl version .
Certi cates
Manage
Memory, CPU,
and API Controlling access to the Kubernetes API
Resources
Install a
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Network Policy As Kubernetes is entirely API driven, controlling and limiting who can access the cluster and what
Provider actions they are allowed to perform is the rst line of defense.
Kubernetes expects that all API communication in the cluster is encrypted by default with TLS,
and the majority of installation methods will allow the necessary certi cates to be created and
distributed to the cluster components. Note that some components and installation methods
may enable local ports over HTTP and administrators should familiarize themselves with the
settings of each component to identify potentially unsecured tra c.
API Authentication
Choose an authentication mechanism for the API servers to use that matches the common
access patterns when you install a cluster. For instance, small single user clusters may wish to
use a simple certi cate or static Bearer token approach. Larger clusters may wish to integrate an
existing OIDC or LDAP server that allow users to be subdivided into groups.
All API clients must be authenticated, even those that are part of the infrastructure like nodes,
proxies, the scheduler, and volume plugins. These clients are typically service accounts or use
x509 client certi cates, and they are created automatically at cluster startup or are setup as part
of the cluster installation.
API Authorization
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Once authenticated, every API call is also expected to pass an authorization check. Kubernetes
ships an integrated Role-Based Access Control (RBAC) component that matches an incoming
user or group to a set of permissions bundled into roles. These permissions combine verbs (get,
create, delete)
Documentation with resources
Kubernetes (pods,Partners
Blog Training services,Community
nodes) and Case
can be namespace
Studies or cluster
Versions scoped. A
English
set of out of the box roles are provided that o er reasonable default separation of responsibility
depending on what actions a client might want to perform. It is recommended that you use the
Node and RBAC authorizers together, in combination with the NodeRestriction admission plugin.
As with authentication, simple and broad roles may be appropriate for smaller clusters, but as
more users interact with the cluster, it may become necessary to separate teams into separate
namespaces with more limited roles.
With authorization, it is important to understand how updates on one object may cause actions
in other places. For instance, a user may not be able to create pods directly, but allowing them to
create a deployment, which creates pods on their behalf, will let them create those pods
indirectly. Likewise, deleting a node from the API will result in the pods scheduled to that node
being terminated and recreated on other nodes. The out of the box roles represent a balance
between exibility and the common use cases, but more limited roles should be carefully
reviewed to prevent accidental escalation. You can make roles speci c to your use case if the
out-of-box ones don't meet your needs.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Production clusters should enable Kubelet authentication and authorization.
Documentation Kubernetes Blog Training Partners Community Case Studies Versions English
Limit ranges restrict the maximum or minimum size of some of the resources above, to prevent
users from requesting unreasonably high or low values for commonly reserved resources like
memory, or to provide default limits when none are speci ed.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
policies can limit which users or service accounts can provide dangerous security context
settings. For example, pod security policies can limit volume mounts, especially hostPath , which
are aspects of a pod that should be controlled.
Documentation Kubernetes Blog Training Partners Community Case Studies Versions English
Generally, most application workloads need limited access to host resources so they can
successfully run as a root process (uid 0) without access to host information. However,
considering the privileges associated with the root user, you should write application containers
to run as a non-root user. Similarly, administrators who wish to prevent client applications from
escaping their containers should use a restrictive pod security policy.
The Linux kernel automatically loads kernel modules from disk if needed in certain
circumstances, such as when a piece of hardware is attached or a lesystem is mounted. Of
particular relevance to Kubernetes, even unprivileged processes can cause certain network-
protocol-related kernel modules to be loaded, just by creating a socket of the appropriate type.
This may allow an attacker to exploit a security hole in a kernel module that the administrator
assumed was not in use.
To prevent speci c modules from being automatically loaded, you can uninstall them from the
node, or add rules to block them. On most Linux distributions, you can do that by creating a le
such as /etc/modprobe.d/kubernetes-blacklist.conf with contents like:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
# SCTP is not used in most Kubernetes clusters, and has also had
# vulnerabilities in the past.
blacklist sctp
Documentation Kubernetes Blog Training Partners Community Case Studies Versions English
To block module loading more generically, you can use a Linux Security Module (such as
SELinux) to completely deny the module_request permission to containers, preventing the
kernel from loading modules for containers under any circumstances. (Pods would still be able
to use modules that had been loaded manually, or modules that were loaded by the kernel on
behalf of some more-privileged process.)
Quota and limit ranges can also be used to control whether users may request node ports or
load balanced services, which on many clusters can control whether those users applications are
visible outside of the cluster.
Additional protections may be available that control network rules on a per plugin or per
environment basis, such as per-node rewalls, physically separating cluster nodes to prevent
cross talk, or advanced networking policy.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
credentials for that node, or provisioning data such as kubelet credentials. These credentials can
be used to escalate within the cluster or to other cloud services under the same account.
When running Kubernetes on a cloud platform limit permissions given to instance credentials,
Documentation Kubernetes Blog Training Partners Community Case Studies Versions English
use network policies to restrict pod access to the metadata API, and avoid using provisioning
data to deliver secrets.
As an administrator, a beta admission plugin PodNodeSelector can be used to force pods within
a namespace to default or require a speci c node selector, and if end users cannot alter
namespaces, this can strongly limit the placement of all of the pods in a speci c workload.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Write access to the etcd backend for the API is equivalent to gaining root on the entire cluster,
and read access can be used to escalate fairly quickly. Administrators should always use strong
credentials from the API servers to their etcd server, such as mutual auth via TLS client
certi cates,
Documentation and it is Blog
Kubernetes often Training
recommended to isolate
Partners the etcd
Community servers
Case behind
Studies a rewallEnglish
Versions that only
the API servers may access.
Caution: Allowing other components within the cluster to access the master etcd instance
with read or write access to the full keyspace is equivalent to granting cluster-admin access.
Using separate etcd instances for non-master components or using etcd ACLs to restrict
read and write access to a subset of the keyspace is strongly recommended.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
The shorter the lifetime of a secret or credential the harder it is for an attacker to make use of
that credential. Set short lifetimes on certi cates and automate their rotation. Use an
authentication provider that can control how long issued tokens are available and use short
lifetimes Kubernetes
Documentation where possible.
Blog IfTraining
you use Partners
service account tokensCase
Community in external
Studies integrations,
Versions plan to
English
rotate those tokens frequently. For example, once the bootstrap phase is complete, a bootstrap
token used for setting up nodes should be revoked or its authorization removed.
Components that create pods may also be unexpectedly powerful if they can do so inside
namespaces like the kube-system namespace, because those pods can gain access to service
account secrets or run with elevated permissions if those service accounts are granted access to
permissive pod security policies.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Kubernetes supports encryption at rest, a feature introduced in 1.7, and beta since 1.13. This will
encrypt Secret resources in etcd, preventing parties that gain access to your etcd backups from
viewing the content of those secrets. While this feature is currently beta, it o ers an additional
level of defense
Documentation when
Kubernetes backups
Blog are not
Training encrypted
Partners or an attacker
Community gains read
Case Studies access toEnglish
Versions etcd.
Feedback
Was this page helpful?
Yes No
Last modi ed August 07, 2020 at 8:40 PM PST: Tune links in tasks section (2/2) (92ae1a9cf)
Documentation Kubernetes Blog Training Partners Community Case Studies Versions English
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD