Kubernetes Security¶
Overview¶
This guide covers security concepts and best practices in Kubernetes, including authentication, authorization, network policies, and security configurations.
Prerequisites¶
- Basic understanding of Kubernetes concepts
- Knowledge of security principles
- Familiarity with RBAC
- Understanding of network security
Learning Objectives¶
- Understand Kubernetes security concepts
- Learn authentication methods
- Master RBAC configuration
- Implement network policies
- Configure security contexts
Table of Contents¶
Authentication¶
Service Account¶
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-service-account
namespace: default
automountServiceAccountToken: false
Token Configuration¶
apiVersion: v1
kind: Secret
metadata:
name: service-account-token
annotations:
kubernetes.io/service-account.name: app-service-account
type: kubernetes.io/service-account-token
Certificate Configuration¶
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: app-csr
spec:
request: $(cat server.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
Authorization¶
Role Configuration¶
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
RoleBinding¶
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: app-service-account
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ClusterRole¶
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
Network Policies¶
Default Deny Policy¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Allow Specific Traffic¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Pod Security¶
Security Context¶
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers:
- name: secure-container
image: nginx
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
Pod Security Policy¶
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
Secrets Management¶
Secret Creation¶
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
data:
username: dXNlcm5hbWU=
password: cGFzc3dvcmQ=
Using Secrets in Pods¶
apiVersion: v1
kind: Pod
metadata:
name: secret-pod
spec:
containers:
- name: app
image: nginx
env:
- name: APP_USERNAME
valueFrom:
secretKeyRef:
name: app-secrets
key: username
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
volumes:
- name: secrets
secret:
secretName: app-secrets
Best Practices¶
- Use RBAC for access control
- Implement network policies
- Configure security contexts
- Manage secrets properly
- Use service accounts
- Enable audit logging
- Regular security updates
Common Pitfalls¶
- Overly permissive RBAC
- Missing network policies
- Insecure pod configurations
- Poor secrets management
- Weak authentication
- Insufficient monitoring
Implementation Examples¶
Complete Security Configuration¶
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-service-account
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-role
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-role-binding
subjects:
- kind: ServiceAccount
name: app-service-account
roleRef:
kind: Role
name: app-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-network-policy
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
app: backend
ports:
- protocol: TCP
port: 8080
---
apiVersion: v1
kind: Pod
metadata:
name: secure-app
spec:
serviceAccountName: app-service-account
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
volumes:
- name: secrets
secret:
secretName: app-secrets
Security Audit Configuration¶
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
name: audit-policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["pods", "services", "secrets"]
- level: Request
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles", "rolebindings"]
- level: RequestResponse
resources:
- group: "authentication.k8s.io"
resources: ["*"]
Resources for Further Learning¶
Practice Exercises¶
- Configure RBAC policies
- Implement network policies
- Set up pod security contexts
- Manage secrets securely
- Configure audit logging