Kubernetes - is it secure?

Having won the container orchestration war, Kubernetes is increasingly business critical so it follows that it will increasingly be targeted by black hats. Thus it is very important for organizations using it and contemplating using it to know it also measures up on the security side of things - including the core ecosystem forming around it in addition to the natural Kube core itself.

Here is an interesting talk on the subject titled "The Devil in the Details: Kubernetes’ First Security Assessment" by Jay Beale and Aaron Small. The focus is more on Kubernetes internal development but there are definitely some good points also for Kubernetes users who're trying to secure their clusters.

https://www.youtube.com/watch?v=1kaqHTcF3iQ

Highlights and interesting picks:

• Kubernetes manages containers at 69% of organizations surveyed (2017)
• Kubernetes auditing philosophy:
• Open: Public RFP and selection process
• Transparent: Public audit GitHub repository
• https://github.com/trailofbits/audit-kubernetes
• Frugal: specific focuses, allowing for a series of assessments
• Future-focused: Threat model and Attackers Guide
• An attacker on a cluster is trying to compromise and escalate privilege from
• Outside of the cluster
• This kind of attack is very rare, most likely requires severe misconfiguration or similar
• Attacker sees:
• Ingress services
• Possibly API server
• Less probably kubeletes, etcd servers, ..
• Inside a container whose program they've compromised
• In a control plane element they've compromised
• In a node they've escalted privilege on
• Attacker inside a cluster:
• Usually sees every pod, etcd servers, worker and master nodes, etc.
• May have access to the cloud provider APIs depending on configuration
• Has the opportunity to observe or PitM traffic (note HTTP flows and unverified endpoints)
• Assessment team found Kubernetes configuration and deployment to be non-trivial, deficiencies in default configuration settings (see https://youtu.be/1kaqHTcF3iQ?t=1688 for full quote)

Overall I get the view from this that CNCF (the foundation overseeing Kubernetes and associated open source projects) takes the security seriously and there's a realistic and active approach to securing it.

On a Kubernetes user level obviously one of the top priorities in securing a Kube cluster is having a defense against escalation from inside a container to the node level (even though there are still more trust zones, defense in layers). One of the most important practices on this front is allowing only rootless containers (RedHat gets points here for mandating rootless model in OpenShift 4 which is supported by going with default CRI-O + Buildah model).

It's also useful to note here that CIS (center for internet security, https://www.cisecurity.org/) provides Kubernetes benchmark.