A music orchestrator coordinates the state of music notes with various musicians playing different instruments, monitoring speed and delivering continuous precision and perfection. Kubernetes is similar in many ways–it is a well-known digital orchestrator which manages and runs containerized cloud-native applications for everything from early-stage startups to established enterprises.
In fact, it shouldn’t be surprising to you that this blog may be served to you from a container orchestrated by Kubernetes.
Kubernetes is based on decentralized software architecture with various components and services that perform on the concept of the desired state. With several components to be considered, securing Kubernetes is more extensive than securing traditional hosting infrastructure. In this post and the following series, we will discuss various Kubernetes components and how to secure them.
Kubernetes has loosely coupled components across two different planes: the control plane and the data plane. Control planes execute and manage the cluster-wide communication and operation like a cerebral system in a human body. The data plane provides and manages the capacity to operate and scale, like the muscular system.
The controls plane components are:
- Kube-API server
- Kube-control manager, etcd (key-value store)
- Admission controllers, and
The data plane components are:
- Kube-proxy (or network-proxy)
- Container runtime (Docker, containers)
- Cluster DNS, Web-UI
The stepping stone into K8 security - KSPM
Securing Kubernetes is a tailored approach, based on the type of deployment (public/private) and depending on the Kubernetes offering (self-hosted or PaaS by cloud providers). We need to start analyzing the exposure of the data and the risk associated then apply the right controls.
The first best practice is to audit your Kubernetes clusters using a Kubernetes Security Posture Management (KSPM) solution. Offered either as standalone products or as part of a broader platform like CNAPP, KSPM scans the Kubernetes components for misconfigurations. Based on identified gaps, security teams can define and design security configurations and guardrails to secure the Kubernetes components.
Different hardening guidelines can be adopted by the security team depending on the customer industry. Hardening guidelines for Kubernetes for different versions and PaaS are offered by the CIS benchmark, and for federal and government space by NSA CISA. The MITRE ATT&CK framework also defines a few well-defined techniques used by attackers, which we will discuss in this series.
Apart from identifying and remediating misconfigurations, you’ll also want to secure your Kubernetes clusters using a zero trust security model. You also need to secure the container image registry, persistent volume storage, and networking. We will expand on these topics in our upcoming blog posts.
Can’t wait for the rest of the series and need to secure your Kubernetes environment now? Talk to our experts.