Kubernetes Tutorial Part 3: Inspecting Requests to the K8s API
In the third part of the Kubernetes Security Tutorial, the focus is on inspecting requests to the K8s API. Each request goes through a series of controls to verify its security, and these plug-ins are called Admission Controllers (AC).
First, each request is authenticated and authorized, and only if it successfully goes through all the verification steps will it be processed. K8s then writes the data to the etcd database and starts comparing the status in the database with the running processes. If an anomaly is detected, K8s will start, stop, scale services, or the network plugin will hold or forward packets.
To make things even more interesting, K8s knows two different AC types: validating admissions can only decide whether the request is valid, while mutating admissions can also change it.
Filtering Security Rules
Filtering security rules is another important aspect of securing Kubernetes. Kubernetes natively provides several mechanisms like Network Policies, ServiceMesh, and RBAC. These mechanisms allow the use of labels to attribute definitions to specific pods, services, or namespaces, making it easier to track and restrict access to resources.
Kyverno
Kyverno is a relatively new open-source Kubernetes-native policy engine that aims to make it easier to achieve and maintain desired security configurations in Kubernetes. It provides a declarative approach to policy enforcement using Kubernetes native policies, rules, and templates.
Kyverno’s policy engine can not only limit the use of privileged containers but can also generate policies that enforce least privilege and compliance. Additionally, it provides policies that can validate network policies, enforce namespaces with quotas, enforce container security constraints, and even validate additional policies that execute arbitrary JSONPath queries.
Conclusion
In conclusion, Kubernetes is an excellent platform for running containerized applications at scale, but it requires a thorough and ongoing approach to security. Securing Kubernetes involves inspecting requests to the K8s API, filtering security rules, and using a policy engine such as Kyverno to enforce policies that ensure desired security configurations. By following these best practices, you can minimize the attack surface and keep your Kubernetes deployment safe and secure.
