As we've discussed, there are several areas of focus when securing a cluster. Ensure that you have read through and made configuration changes (in code) to your cluster configuration in the following areas:
- Logging: Ensure that your Kubernetes logs are enabled. You can read more about audit logging here: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/.
- Make sure you have authentication enabled so that your users, operators, and services identify themselves as unique identifiers. Read more about authentication here: https://kubernetes.io/docs/reference/access-authn-authz/authentication/.
- Ensure that you have proper separation of duties, role-based access control, and fine grained privileges using authorization. You can read more about HTTP-based controls here: https://kubernetes.io/docs/reference/access-authn-authz/authorization/.
- Make sure that you have locked down the API to specific permissions and groups. You can read more about access to the API here: https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/.
- When appropriate, enable an admission controller to further re-validate requests after they pass through the authentication and authorization controls. These controllers can take additional, business-logic based validation steps in order to secure your cluster further. Read more about admission controllers here: https://kubernetes.io/docs/reference/access-authn-authz/controlling-access.
- Tune Linux system parameters via the sysctl interface. This allows you to modify kernel parameters for node-level and namespaced sysctl features. There are safe and unsafe system parameters. There are several subsystems that can be tweaked with sysctls. Possible parameters are as follows:
- abi: Execution domains and personalities
- fs: Specific filesystems, filehandle, inode, dentry, and quota tuning
- kernel: Global kernel information/tuning
- net: Networking
- sunrpc: SUN Remote Procedure Call (RPC)
- vm: Memory management tuning, buffer, and cache management
- user: Per user per user namespace limits
You can read more about sysctl calls here: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/.
You can enable unsafe sysctl values by running the following command:
kubelet --allowed-unsafe-sysctls ‘net.ipv4.route.min_pmtu'
kubelet --allowed-unsafe-sysctls ‘net.ipv4.route.min_pmtu'
Here's a diagram of the authorization, authentication, and admission control working together:
