The Kubernetes Series: Part Three - Security

Over the past couple of months, we’ve been exploring the origins and benefits of Kubernetes, as well as the best way to create an effective strategy. Today, we’re going to explore a vital aspect of a truly effective Kubernetes strategy: security. 

A survey by McKinsey and Company found that “companies have accelerated the digitisation of their customer and supply-chain interactions and of their internal operations by three to four years” because of the COVID-19 pandemic. Over the last year and a half, Kubernetes has seen its user base grow as more organisations look for ways to improve their infrastructure. However, organisations should ensure they create and follow an effective strategy that prioritises security to limit breaches.

Cyberattacks

Similar to every other platform, Kubernetes is susceptible to cyberattacks. For example, in 2018, the Kubernetes ecosystem was shocked to learn about the first major security flaw in the platform. The vulnerability enabled attackers to compromise clusters via the Kubernetes API server, allowing them to run code to perform malicious activity such as installing harmful malware. 


Perhaps the most high-profile Kubernetes hack of the last couple of years happened at Tesla, where hackers infiltrated Tesla’s AWS Kubernetes console, which was not password protected. Researchers from RedLock Cloud Security Intelligence discovered that cryptocurrency mining scripts were used to engage in crypto-jacking, allowing the hackers to steal the Tesla AWS computing resources to mine cryptocurrency.

Evolvere - Blog Banners(8).jpg

Kubernetes also operates a bug bounty programme to handle platform vulnerabilities and resolve them in a timely manner. Additionally, Kubernetes offer documents explaining how organisations can secure clusters. We’ll explore the advice in some more detail below. 

Controlling access to the Kubernetes API

As Kubernetes is API-driven, controlling and limiting who can access the cluster and what actions they are allowed to perform is the best way to ensure the cluster is secure. Kubernetes recommends that users encrypt all API communication with Transport Layer Security (TLS), and the majority of installation methods will allow the necessary certificates to be created and distributed to the other cluster components. 

Additionally, APIs should be authenticated and should pass an authorisation check. Users should employ an authentication mechanism for the API servers which matches common access patterns when installing a cluster. Larger clusters may require an existing OIDC or LDAP server to subdivide users into groups. Once authenticated, every API call should pass an authorisation check. With authorisation, it is important to understand how updates on one object may cause actions on others. 

Technology Jump-Start

Adopting new technology takes a significant amount of time and effort. If you’d like to implement Kubernetes securely, but you’re not sure where to start, we have a solution. We can accelerate this process and relieve the burden from infrastructure teams. Our Technology Jump-Starts for Kubernetes and Rancher will demonstrate a range of capabilities, such as high availability of Rancher and Kubernetes clusters, the scaling of compute and non-compute resources and components, integration with continuous delivery platforms for scaling and deployment, and more. 

You can learn more about our Technology Jump-Start services here.