1. What is Kubernetes security?
Kubernetes security comprises the four areas of a Kubernetes cluster deployment that need to be protected: cloud, cluster, container, and code. Whether the Kubernetes cluster is built on an on-premises network or in the cloud, the environment has to conform to basic security best practices. Security for the cluster itself requires proper configurations and hardening of microservices and APIs that comprise the application.
Securing the container and code starts with good design practices, such as keeping the code base small and restricting unnecessary user privileges. And like any deployed applications, Kubernetes clusters should be tested and scanned regularly for vulnerabilities.
2. What are the recommended security measures for Kubernetes?
With Kubernetes, security-conscious developers should keep clusters as simple as possible, using a minimal host OS and running CIS Benchmark tests throughout the development pipeline. Recommended best practices also include:
- Scanning outside images from any source for vulnerabilities.
- Updating Kubernetes networking defaults and built-in security configurations to manage data flow, connection routing and pod access.
- Keeping access privileges as minimal as possible and use a read–only root filesystem to prevent attacks that install malware or change the file system.
- Using logically designed roll-based access control (RBAC) and TLS encryption to manage and safeguard communications.
And as with any modern security program, Kubernetes administrators should continuously monitor events and communications for suspicious activity.
3. What is container security?
Container security involves the tools, policies, and processes that protect container infrastructure and applications from attack. Because containerized environments involve layers of abstraction, they have wider and more complex attack surfaces than traditional environments. Container security must manage and protect the full stack of the environment. Security should control network communications with tools such as microsegmentation and containerized next-generation firewalls. Security teams also need to identify and fix vulnerabilities introduced at run-time. Container registries and their host servers need regular scanning for vulnerabilities and restricted access policies. And crucially, container hosts need to be hardened and scanned for vulnerabilities or file tampering.