- Community Home
- >
- Services
- >
- The Cloud Experience Everywhere
- >
- Is your Kubernetes cluster secure? Here’s a simple...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Receive email notifications
- Printer Friendly Page
- Report Inappropriate Content
Is your Kubernetes cluster secure? Here’s a simple first step to harden it.
IT organizations need to ensure that their Kubernetes clusters can resist cyberattacks that can compromise sensitive data and applications. These tips can help you build a compliant, secure cloud-native computing platform.
by Alex Tesch, Senior Solution Architect, Cloud Native Computing Practice, HPE Advisory & Professional Services
With the increase of Kubernetes clusters running production workloads in enterprises, security teams are increasingly concerned about the possibility of black-hat hackers exploiting K8s vulnerabilities and gaining control of applications and data hosted in the cluster. HPE Services Advisory & Professional Services provides a simple first step to harden Kubernetes clusters running in enterprises, based on our extensive experience and expertise in Kubernetes platform design, build, and operation.
The time is already past in which corporations considered K8s simply as a development and testing platform to get ready for the cloud-native world. Developers have demonstrated time and again the benefits of Kubernetes as a container orchestrator and critical resource provider for their pipelines to bring new features and capabilities to their enterprise applications in record time.
As software development accelerated and developers found new uses for K8s, security, in most cases, was an afterthought. Nowadays, it is imperative to ensure that Kubernetes clusters are hardened to acceptable standards to reduce the risk of exploits that can compromise sensitive data and applications.
The Center for Internet Security provides the de-facto standards to benchmark security on IT systems; Kubernetes is not an exception. In order to harden a Kubernetes cluster according to the CIS benchmark 1.6 (the latest at the time of this writing), Kubernetes administrators can obtain this document from the CIS website:
https://www.cisecurity.org/cis-benchmarks
The document is 271 pages long, so performing the hardening manually is a really time-consuming endeavor.
Accelerate Kubernetes hardening with Kube-Bench
Luckily for K8s admins, there are faster ways to achieve Kubernetes hardening and bring it to CIS standards. Kube-Bench is an open-source project aimed at collaborating with the CIS community to automate the hardening tests, provide advice on how to fix failed test cases and bring the Kubernetes cluster to compliance. Written in GO language, the source code is hosted under:
https://github.com/aquasecurity/kube-bench
It is available for everyone to use under the Apache 2.0 license. Kube-Bench is open to feedback and ideas for improvement as well as code contributions to make it better.
The Kube-Bench tool is already containerized, and the manifests to run the deployments on Kubernetes are available on:
https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-master.yaml
(to provide advice on Master/etcd hardening)
and
https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-node.yaml
(to provide advice on workers hardening).
Assessing the security compliance of a Kubernetes cluster is as simple as running the Kube-Bench manifest using the kubectl client. The deployment will run for less than a minute, and upon completion it is possible to extract the logs from the pods. These logs will provide the recommendations for the failed tests and how to perform the configuration to make the Kubernetes cluster CIS compliant. Kube-Bench is definitely a faster way to perform the hardening tests and get insights into the best practices provided by the Center for Internet Security.
Take security to the next level with HPE Services
In order to operate a CIS-compliant, secure cloud-native computing platform, you won’t want to stop there. For some enterprise Kubernetes distributions, it is possible to draft the template with HPE Services’ K8s cluster design and request CIS 1.6 compliance. Rancher Kubernetes Engine 2 (also known as RKE Government) is one of the offerings that HPE Pointnext Services can help customers leverage. As part of the design and build of a customer’s Container Orchestration Platform, HPE Services Advisory & Professional Services can take CIS compliance into consideration before deploying the Kubernetes cluster. We can expedite the go-live of the production application in a hardened platform based on our cloud-native computing security reference architecture and its minimum viable functionalities (see below).
HPE Services Advisory & Professional Services can help you get the most out of your Kubernetes security strategy. We understand that once cloud-native workloads reach production maturity, care must be taken to comply with regulations and security guidelines. The HPE Container Adoption Service can help your team to design a container platform that will allow you to run your applications in production while taking care to address security compliance.
Learn more about technology services consulting from HPE – expert advice and implementation to take your digital transformation to the next level.
Read more about HPE Services and how we help you navigate what’s next.
Alex Tesch has been working with open-source enterprise technologies for the most part of his 22-year IT career. Before joining Hewlett Packard Enterprise, he worked with Red Hat, IBM and Sun Microsystems. Alex is currently an APJ lead consultant in the Hybrid IT Center of Excellence at HPE, where he designs and evangelizes cloud-native solutions that help customers to modernize their infrastructure and adopt new best practices to leverage next-generation IT.
- Back to Blog
- Newer Article
- Older Article
- Back to Blog
- Newer Article
- Older Article
- Deeko on: The right framework means less guesswork: Why the ...
- MelissaEstesEDU on: Propel your organization into the future with all ...
- Samanath North on: How does Extended Reality (XR) outperform traditio...
- Sarah_Lennox on: Streamline cybersecurity with a best practices fra...
- Jams_C_Servers on: Unlocking the power of edge computing with HPE Gre...
- Sarah_Lennox on: Don’t know how to tackle sustainable IT? Start wit...
- VishBizOps on: Transform your business with cloud migration made ...
- Secure Access IT on: Protect your workloads with a platform agnostic wo...
- LoraAladjem on: A force for good: generative AI is creating new op...
- DrewWestra on: Achieve your digital ambitions with HPE Services: ...