There are multiple ways to secure your deployed Kubernetes cluster. In this article, the five, most effective steps and ways to achieve your security goals, then protect your cluster from hiking are summarized.
Secure cluster access through firewall
Control the Kubernetes cluster master management node access through reverse proxy with IPSec encrypted communication between the proxy and the master node.
Using two way authentication with SSO to secure the proxy server access from external users using SSH like secure channels.
Deploy AAA policies for API access
Use Authentication, Authorization and Admission control to fine turn the availability of Kubernetes resources to different users and Pods. X.509 client certificate, OIDC, web hook with static token issued by Kubernetes API servers with the help of technologies such as Active Directory server, secure LDAP can make the process more scale. RBAC, ABAC, Node Authorization with OPA are the practical way to achieve cluster Authorization. Using PSA policy to achieve Pod admission to prevent pods to gain unnecessary access privilege such as root access permission.
Secure key components of cluster
Using a distributed ETCD server with encrypted database, using mTLS between the communication between ETCD and API servers, route the certificate and keys more frequently.
Control Application Pod’s Access Capacity
Using Pod security policy with OPA to further control what application pods deployed into the cluster can and can not do to the system.
Secure the cluster network traffic
Use CNI implementation such as Calico with supported network policies. Always encrypted network traffic between nodes, system pod to pod network communication.
Secure application pods with service mesh
When the number of application pods deployed into the cluster exceeds a certain number, it is worth deploying service mesh solution to the cluster to gain secure network traffic between pods with mTLS, application pod trace ability, monitoring benefits and so on.
Suitable security policies are one of the key components to make your Kubernetes cluster dynamic, secure, manageable and robust.
Knowledge, Experience and Learning 