I always say the most important task when using the cloud is security and it is also the most neglected aspect as well.
Many organizations are afraid to make a switch to the cloud because of security and privacy concerns.
Cloud can be as secure and robust as on-premise servers if you set the security right that most organizations neglect, leading to Data breaches, Systems Hijacking, and many other threats.
Let's explore different aspects of securing a Kubernetes cluster in the cloud.
Cloud-Native Security
Cloud-Native Security can be divided into four different layers also known as 4 C’s:
- Cloud
- Cluster
- Container
- Code
Each Layer is built upon the security of the previous layer. Each layer provides a different set of security features and capabilities. You can think of them as 4 building blocks each one built on the top of other.
Cloud Layer
In this layer, we deal with cloud platforms like AWS, GCP, Azure, IBM, etc.
Cloud is the first step in securing the applications in the cloud. If the cloud is not secure then the components built on the top of the cloud will be vulnerable, leading to security loopholes.
Cloud Security for each platform is different and each of them has its own set of best practices and recommendations to enhance security.
Discussing Best Security practices for each cloud is out of the scope of this article. Here are some of the best practices for the top 3 cloud providers:
- Amazon Web Services: https://aws.amazon.com/security/
- Microsoft Azure: https://docs.microsoft.com/en-us/azure/security/azure-security
- Google Cloud Platform: https://cloud.google.com/security/
Cluster Layer
The second step to securing your application is the cluster layer. For our case, we will be dealing with Kubernetes.
We can divide cluster layer security into 2 parts:
Components Security: This includes protecting core components and services. A few of our recommendations are:
- Limiting/Restrict access to Kubernetes API Server.
- Encrypt API traffic using Transport Layer Security (TLS)
- Enable Kubelet authentication and authorization
Applications Security: This includes protecting your applications and services running in Kubernetes. A few of our recommendations are:
- Use Secrets for sensitive information
- Enable RBAC Authorization
- Implement Container Network Interface(CNI) to restrict network policies
- Deploy applications using pod security policies and security contexts.
Container Layer
Container Layer security focuses on securing and protecting your application that is running inside the container. This includes securing your docker, containerd, CRI-O images, etc.
We can take the precaution like:
- Don't use default users and groups to run your application
- Enforce image signing to prevent the use of unauthorized images.
- Deploy container vulnerability scanning solutions
- Label container images
- Frequently check for loopholes in the container libraries
- Always use the updated images
Code Layer
This is the innermost layer and the layer that deals with the actual code. Security practices for the code change according to the application.
Here are some of the common practices to protect the code from attacks:
- Use static code analysis to prevent any security leaks like storing sensitive information such as access keys/secrets keys in VCS or codebase
- Encrypt all the traffic while communicating with other tools, services, and applications
- Integrate dependency check for libraries in the CI/CD pipelines to check for known security vulnerabilities
- Secure all the ports and only expose those port which is necessary
We Know setting up Security right can be a daunting thing, that why we at Cluephant can help by taking care of all these things for you.
Thinking of moving to the Cloud?
Let us help you on your cloud journey. Reach out to us at Cluephant.
Achieve FASTER, BETTER results with Cluephant (Cloud Natives).
