This document provides an overview of Kubernetes security concepts including the Kubernetes attack surface, TLS certificates, securing the Kubelet and etcd, authentication, authorization, admission controllers, tooling landscape, pod security policies, network policies, and secrets. It discusses key configuration recommendations and checks for securing different components like disabling privileged mode, setting TLS certificates, CIS benchmarks for etcd, and authentication methods in Kubernetes. The different types of admission controllers and CNCF security tooling are also briefly introduced.

1. Introduction to Kubernetes Security
Saiyam Pathak
Twitter - @saiyampathak
Blog – https://medium.com/@saiyampathak
21st September 2019

2. 2
Agenda
• Kubernetes Attack Surface
• TLS Certificates
• Secure Kubelet
• Secure etcd
• 3 A’s of Kubernetes
• Secrets
• Kube-Bench
• CNCF Tooling Landscape
• Pod Security Policies
• Network Policies

3. 3
Security
Threats

4. Kubernetes challenges
Kubernetes Challenges

5. Kubernetes
attack
surface

6. Kubernetes Cluster-TLS
• TLSChecklist:
1. Nodes and Master
2. User andMaster
3. Everything etcd
4. Kubelet to API
Server
Image by Karthik Gaekwad

8. --allow-privileged: Set to false
--anonymous-auth:Set to false
--authorization-mode:Avoid AlwaysAllow setting
--client-ca-file:Should be set to valid certificates
--read-only-port:Set to 0 and readOnlyPort specified in kubelet config
--tls-cert-file:Set as appropiate
Secure Kubelet

10. Secure etcd
CIS Benchmark Recommendations on etcd
--etcd-certfile and --etcd-keyfile: Should be set
--enable-admission-plugins: Set to include a value for ServiceAccount
--tls-cert-file and --tls-private-key-file: Should be set
--auto-tls: Should be set to false
--etcd-ca-file: Should be set to valid certificate
--etcd-cafile on APIServer should be set to CA that signed etcd
Ps-aef | grep etcd

11. 3 A’S OF KUBERNETES

12. Authentication
• Do you know how you are authenticating with Kubernetes?
• Many ways to Authenticate
• Client Certs
• Static token file
• ServiceAccount tokens
• OpenID
• Webhook Mode
• And more (https://kubernetes.io/docs/reference/access-
authn-authz/authentication/)

13. Authenticati
on

17. Authorization n
https://kubernetes.io/docs/reference/access-authn-authz/authorization/
Authorization

20. Rbacmanager
audit2rbac
Tooling:

21. Admission
• Do you know how many admission controllers are there in
Kubernetes?
• Few of Admission Controllers
• AlwaysPullImages
• PodSecurityPolicy
• ResourceQuota
• NodeRestriction

22. Kube-
Bench

24. CNCF
Tooling
Landscape

25. Pod Security
Policy,
Network
Policy &
Secret
A Pod Security Policy is a cluster-level resource that controls security sensitive
aspects of the pod specification. The PodSecurityPolicy objects define a set of
conditions that a pod must run with in order to be accepted into the system, as well
as defaults for the related fields.
A network policy is a specification of how groups of pods are allowed to
communicate with each other and other network endpoints.
NetworkPolicy resources use labels to select pods and define rules which specify
what traffic is allowed to the selected pods.
Kubernetes secret objects let you store and manage sensitive information,
such as passwords, OAuth tokens, and ssh keys. Putting this information in a
secret is safer and more flexible than putting it verbatim in a Pod definition or
in a container image.

26. Thank You @saiyampathak