Securing Kubernetes with the HPE Cloud Native Computing Security Framework

IT organizations need to ensure that their Kubernetes clusters are resistant against cyberattacks that can compromise sensitive data and applications. Here are some tips to build a compliant, secure cloud-native computing platform.

By Nicolas Orand, Senior Chief Solution Architect in HPE Advisory & Professional Services’ Cloud Native Computing Practice Area.

Security has been a primary concern for IT transformations – whether around platforms or applications – for a long time.  It is the same with the cloud native computing transformation journey.  In an earlier blog, the HPE Services team covered security concerns and challenges that customers typically have and addressed them based on the HPE Cloud Native Computing Security Reference Architecture. (See: Is your Kubernetes cluster secure? Here’s a simple first step to harden it.) In this article, I’ll explore Kubernetes security, from infrastructure to containers and applications, in detail.

Securing the Infrastructure

The HPE Cloud Native Computing Security Reference Architecture, which covers the main components surrounding the container platform, is highlighted below. The focus of this article is around security of the container orchestration platform, Kubernetes in this case.

Before deploying Kubernetes, it's important to ensure that the underlying infrastructure is secure. This includes securing the nodes in the cluster, the network, and any cloud or on-premises resources that the cluster relies on.

Node security

Nodes are the machines that run the Kubernetes workloads. Securing the nodes is critical to ensuring the security of the entire Kubernetes cluster. Below we list some best practices for securing nodes in a Kubernetes cluster:

• Keep the operating system up to date with the latest security patches. Note that the new trend is to use immutable OS for the K8s nodes; this allows Kubernetes to manage the OS updates by using new images during a Kubernetes upgrade, releasing the administrator from this responsibility.
• Disable unused services and ports to reduce the attack surface. On an immutable OS, only the ports required to run the Kubernetes cluster and workloads will be enabled without the option to open additional ports.
• Configure firewalls to restrict access to the nodes.
• Use SSH keys instead of passwords for remote access. If using an immutable OS, there won’t be a need to access the nodes via SSH as the management would be done by Kubernetes operators.
• Encrypt sensitive data, such as passwords and certificates, using a secure key management system.

Network security

The network is a critical component of Kubernetes security. Network security policies should be put in place to restrict access to the Kubernetes API, as well as to any other services or applications running on the cluster. It is important to use a dedicated network for the Kubernetes cluster. Use a network policy to restrict access to the Kubernetes API server, and you can use also a service mesh (such as Istio or Linkerd) to provide additional network security features, such as mutual TLS and rate limiting. 

Rate limiting is an important consideration, as it allows you to define the number of requests expected during peak hours from heavy users; once that threshold is surpassed, it will drop additional requests from the infringing users, assuming that these could pose a DoS attack. By enabling rate limiting, we can guarantee that all users will have fair access to the application workloads.

Cloud and on-premises resources

If your Kubernetes cluster is running in the cloud or on-premises, it's important to ensure that these resources are also secure. This includes securing any databases, storage systems, or other services that the cluster relies on. You can use strong authentication and access control mechanisms to restrict access to resources. However, the encryption is key to protecting sensitive data in transit and at rest.

The last point to be mentioned is more on the operation side – use auditing and monitoring tools to detect and respond to security incidents.

Securing Containers

Once the underlying infrastructure is secured, it's time to focus on securing the containers that are deployed to the cluster. Container security is critical because vulnerabilities in containers can be exploited to gain access to the underlying host and potentially compromise the entire cluster.

Image scanning

One critical aspect of securing containers is to ensure that the container images deployed to the cluster are secure. Vulnerabilities in container images can be exploited to gain access to the underlying host and potentially compromise the entire cluster. This is where container scanning comes into play.

Container scanning is the process of analysing container images for known vulnerabilities and misconfigurations. A container scanner analyses the contents of the container image, including the operating system binaries, libraries and application dependencies, and compares them against a database of known vulnerabilities. The scanner then reports any vulnerabilities  found, along with remediation steps.

Container scanning can be done at various stages of the development and deployment pipeline, including during the build process, before deployment to a test environment, and before deployment to a production environment.

There are several container scanning tools available, including open-source tools like Clair, Trivy, and Anchore, as well as commercial tools like Aqua Security, Sysdig Secure, and Twistlock.

Pod security

Pod security admission provides a way to enforce security controls on pods running on the cluster. For example, a pod security admission can require that all containers in a pod run as non-root users, or that all containers in a pod use read-only file systems. Pod security admission can be defined and enforced by the Kubernetes  Pod Admission Controller.

In addition to pod security policies, Kubernetes provides other security features for containers, such as:

• Seccomp: A Linux kernel feature that can be used to restrict the system calls that a container is allowed to make.
• AppArmor (Ubuntu) and SELinux (RHEL): Linux security modules that can be used to restrict the actions that a container is allowed to perform.
• CGroups: A Linux kernel feature that can be used to limit the resources that a container is allowed to use, such as CPU and memory.

Network policies

Network policies provide a way to restrict network traffic to and from pods running on the cluster. Network policies can be defined using Kubernetes YAML files, and they can be enforced by the Kubernetes network plugin. Network policies can be used to restrict traffic based on source and destination IP addresses, protocols, and ports. The choice of the Container Network Interfaces (CNI) can also bring more functionalities. A Network policy can define the rules for both ingress and egress and restrict the traffic based on labels assigned to the pods and namespaces.

Secrets management

Kubernetes provides a way to store sensitive information, such as passwords and  certificates, in a secure manner using secrets. Secrets can be created using Kubernetes YAML files and can be mounted as volumes in containers. Secrets are encrypted at rest and are only accessible to authorized users.

Securing Applications

In addition to securing the infrastructure and containers, it's also important to secure the applications running on the Kubernetes cluster. Application security includes securing the code of the application, as well as securing the deployment of the application.

Code security

Code security refers to the process of ensuring that the application code running in the container is free of known exploits and adheres to safe coding practices. Some of the considerations to take into account include:

• Using static code analysis tools to detect security flaws in the application code. Improper coding techniques provide potential exploits that can grant escalation privileges; this code would be flagged as part of static application security testing and can be fixed in future releases.
• Using runtime security tools, such as WAFs (web application firewalls), to detect and prevent attacks.
• Using dynamic application security testing (DAST) to detect conditions that indicate a security vulnerability in an application in its running state.

Deployment security

Deployment security refers to the process of ensuring that the application is deployed to the cluster in a secure manner. This includes:

• Using a secure deployment process that includes security checks. This can be automated as part of a CICD pipeline which can cover the items mentioned above (SAST, DAST, Image Scanning).
• Ensuring that the application is deployed using the latest version of the container image.
• Using RBAC (role-based access control) to restrict access to the application.

Kubernetes provides a powerful platform for running containerized applications, but it also introduces new security challenges. To ensure the security of a Kubernetes cluster, it's important to secure the underlying infrastructure, containers, and applications. This includes using best practices for node security, network security, and cloud/on-premises resource security, as well as using container scanning, pod security policies, network policies, secrets management, and code and deployment security measures. By following these best practices and using the security features provided by Kubernetes, organizations can ensure the security and reliability of their Kubernetes deployments.

Every organization will have its own constraints for containers or security. HPE Advisory and Professional Services can help you define your strategy, design, delivery, and operations and guide you all the way to implementing them.

A holistic view of security is paramount for a proper implementation. That means taking a comprehensive approach to security that involves both technical and non-technical measures. It requires a deep understanding of your organization’s operations beyond your Kubernetes systems, while considering risks, vulnerabilities and willingness to invest in the resources necessary to implement and maintain effective security controls. 

Within the container platform boundaries, HPE Advisory and Professional Services has defined a container security framework to tackle the most important factors to take into consideration to mitigate security risks at all levels in the Kubernetes environment.  The image below compiles the different building blocks that should be considered to reduce the potential attack surface.

By mapping this security framework to the first figure presented in this article, which represents the components surrounding the container platform, it is possible to get a better understanding of the security considerations covered in the framework developed by HPE Advisory and Professional Services. See the figure below:

Security is an ongoing process. HPE Advisory and Professional Services can help you continuously monitor your organization’s security posture and make adjustments as needed by regularly reviewing and updating the security strategy and controls. We can help you ensure that your security posture remains strong.

Nicolas Orand is Senior Chief Solution Architect in HPE Advisory & Professional Services’ Cloud Native Computing Practice Area. He has been with HP/HPE for 11 years, working on hybrid cloud for five years. Nicolas has three focus areas: He is a Global Cloud Native Computing Container solution development architect. He’s an EMEA Red Hat Cloud Architect for HPE Advisory and Professional Services, enjoying a great partnership with Red Hat. And he’s responsible for France Delivery for HPE hybrid cloud products. Nicolas is based in Grenoble.

Contact Nicolas on LinkedIn: Nicolas Orand

Services Experts
Hewlett Packard Enterprise

twitter.com/HPE_Services
linkedin.com/showcase/hpe-services/
hpe.com/services