Kubernetes security audit: What GKE and Anthos users need to know
Kubernetes reached an important milestone recently: the
publication of its first-ever security audit! Sponsored by the Cloud Native
Computing Foundation (CNCF), this security audit reinforces what has been
apparent to us for some time now: Kubernetes is a mature open-source project
for organizations to use as their infrastructure foundation.
While every audit will uncover something, this report only
found a relatively small number of significant vulnerabilities that need to be
addressed. “Despite many important findings, we did not see fundamental
architectural design flaws, or critical vulnerabilities that should cause pause
when adopting Kubernetes for high-security workloads or critical business
functions,” said Aaron Small, Product Manager, Google Cloud and member of the
Security Audit Working Group. Further, Kubernetes has an established vulnerability
reporting, response, and disclosure process, which is staffed with senior
developers who can triage and take action on issues.
GCP_k8_securityaudit.png
Performing this security audit was a big effort on behalf of
the CNCF, which has a mandate to improve the security of its projects via its
Best Practices Badge Program. To take Kubernetes through this first security
audit, the Kubernetes Steering Committee formed a working group, developed an
RFP, worked with vendors, reviewed and then finally published the report. You
can get your hands on the full report on the Working Group’s GitHub page, or
read the highlights in the CNCF blog post.
Kubernetes security for GKE and Anthos users
Clocking in at 241 pages, the final report is very thorough
and interesting and we encourage you to read it. But what if you’re just
interested in what this report means for Google Cloud’s managed platforms,
Google Kubernetes Engine (GKE) and Anthos? If you’re not going to read the
whole thing, here’s the gist of the report and takeaways for Google Cloud
customers.
GKE makes it easy for you to follow recommended
configurations
The report lays out a list of recommended actions for
cluster administrators, including using RBAC, applying a Network Policy, and
limiting access to logs which may contain sensitive information. The report
also calls out Kubernetes’ default settings. In GKE, we’ve been actively
changing these over time, including turning off ABAC and basic authentication
by default, to make sure new clusters you create are more secure. To apply the
recommended configurations in GKE, and see which have already been applied for
you, check out the GKE hardening guide.
It’s not all up to you
The threat model assessed the security posture of eight
major components, but because of the GKE shared responsibility model, you don’t
have to worry about all of them. GKE is responsible for providing updates to
vulnerabilities for the eight components listed in the report, while you as the
user are responsible for upgrading nodes and configuration related to
workloads. You don’t even need to upgrade nodes if you leave node auto-upgrade
enabled.
Kubernetes and GKE security are only going to keep getting
better
With more eyes on this shared, open source technology, more
well-hidden bugs are likely to be found and remediated. The Kubernetes
community dedicated significant time and resources to this audit, emphasizing
that security is truly a top priority. With open audits like the one performed
by the CNCF, it’s easier for researchers—or your team—to understand the real
threats, and spend their time further researching or remediating the most
complex issues.
And when issues do arise, as we’ve seen multiple times with
recent vulnerabilities, the upstream Kubernetes Product Security Committee is
on top of it, quickly responding and providing fixes to the community.
Finally, since GKE is an official distribution, we pick up
patches as they become available in Kubernetes and make them available
automatically for the control plane, master, and node. Masters are
automatically upgraded and patched, and if you have node auto-upgrade enabled,
your node patches will be automatically applied too. You can track the progress
to address the vulnerabilities surfaced by this report in the issue dashboard.[Source]-https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-security-audit-what-gke-and-anthos-users-need-to-
Basic
& Advanced Kubernetes Training Online using cloud computing, AWS, Docker etc. in Mumbai. Advanced
Containers Domain is used for 25 hours Kubernetes Training.
Comments
Post a Comment