Recent attacks like those on Colonial Pipeline, SolarWinds, and Twitch have gained notoriety and foregrounded the importance of security within cloud infrastructure. Unfortunately, the complexity of cloud infrastructure, as well as the growing adoption of Kubernetes, has significantly increased the attack surface. Security concerns no longer revolve around networking and patching vulnerable operating systems; instead, the software delivery process itself has become a vector for attack. TL;DR: it’s crucial to implement security hardening in all aspects of cloud infrastructures.
So, what can we do? There are various tools, frameworks, and techniques that we can leverage to protect against such attacks, including Cloud Security Posture Management (CSPM), Supply-Chain Levels for Software Artifacts (SLSA, also known as “salsa”), and Kubernetes Security Posture Management (KSPM). All of these tools are based on “the 4C’s” of cloud native security: cloud, clusters, containers, and code.
In this article, we will explore KSPM and explain several Kubernetes resources that can help you strengthen the security posture of your infrastructure.
What Is KSPM?
Kubernetes Security Posture Management (KSPM) allows you to use automation tools to secure your cloud infrastructure by focusing on Kubernetes resources that are part of the system.
KSPM detects misconfigurations in any Kubernetes setup, and it can be configured to proactively alert you about these issues so that you can act quickly and mitigate them.
How and Why Can KSPM Help You?
Malicious actors can exploit vulnerabilities and insecure configurations in Kubernetes resources. In other words, both misconfigurations and insufficient knowledge of Kubernetes can be seen as attack surfaces. To achieve a strong security posture in your organization’s Kubernetes system, you need to harden the following resources:
Role-Based Access Control (RBAC)
You can think of Role-Based Access Control (RBAC) as a doorway into your Kubernetes system. Weak RBAC policies (such as granting broad permissive access to Kubernetes resources) are indicative of a weak security posture and can be used as a point of entry for attackers. To help keep your Kubernetes system secure, you must perform regular audits of your RBAC policies and remove access permissions for inactive users, employees who have left the organization, and compromised service accounts that were mistakenly shared or merged with the repository code base.
Since most of your Kubernetes-based application is composed of containers, hardening container images must also be a main priority. Some of the most important things you can do to secure your system include scanning containers for any vulnerabilities or misconfigurations, enforcing the policy of least privilege, ensuring that your container images come from trusted sources, and using minimal operating system images with read-only file permissions. You must also patch your container OS regularly to prevent the possibility of attacks and keep your base images up to date, including any third-party tools that are required to run your containers. Make sure to use Kubernetes secrets to pull container images from a trusted registry.
Cloud networking is very complex. You must configure network policies and firewalls to separate and isolate Kubernetes resources. One of the most important ways to prevent attacks is to secure your control plane by blocking direct access. Using private and public clusters can also play an important role in preventing the exposure of an attack surface within your system. Strict network isolation can prevent unauthorized attacks such as external ingress to cluster API endpoints, nodes, or pod containers. It’s essential to decide which nodes, clusters, and pods really need access to the internet and restrict access for the rest.
Communication between application workloads and services should be kept as internal as possible, and load balancers that enable such communication should be configured accordingly. Application service calls between applications should also be handled internally unless external/internet communication is strictly necessary. Workload communications also need to be encrypted. You can isolate workloads by using namespaces, which helps you separate different workloads or services from your main application.
So how can you implement this hardening to secure your Kubernetes system? The answer is to use policies. For example, you could use network policies, RBAC or authorization policies, pod security policies, Kubernetes admission controllers, and an Open Policy Agent that allows you to enforce these policies.
Once all the hardening is in place, you need to monitor it to make sure that it’s doing what it needs to do. When attacks do occur, you need to have visibility into your systems so that you can know when the attack happened and what was done to mitigate the damage. This insight will help you prepare to prevent the same type of attack from happening again. Aside from monitoring, reports are important for compliance purposes.
Another important aspect of security is audit logging. This keeps track of events and changes in your system and helps you evaluate your security as well as identify any loopholes, breaches, or attacks. Besides, it helps you evaluate your existing policies and find opportunities for improvement.
As we’ve seen, Kubernetes Security Posture Management (KSPM) consists of hardening your container images, applying network policies, configuring RBAC policies, and enforcing Kubernetes admission controllers. KSPM uses automation tools to help you strengthen your security posture by finding and fixing security issues. KSPM automates the process of finding RBAC misconfigurations, container images that need to be patched, and other vulnerabilities that you define in your policies.
Prisma Cloud helps you secure your organization’s Kubernetes systems, including your overall Kubernetes security posture. They offer many essential features, including policy monitoring, audit trails, and the ability to detect threats as well as attacks.