This course is a 'Deep Dive' into Kubernetes Security. The student is guided through the concepts and best practices of Kubernetes Security, and hands-on examples are provided to apply what is covered.
Interactive Diagram: https://interactive.linuxacademy.com/diagrams/KubernetesSecurity.html
Introduction to the Course Author
This is a brief introduction to the course author.
Introduction to this Course
This is a brief introduction to the course explaining the topics covered.
Setting Up a Kubernetes Playground
Preparing The Playground Servers
This video is used to guide the student through the Cloud Playground Servers setup. Three virtual machines are established for the master and two worker nodes of the Kubernetes cluster. Each of the three servers is a medium-size instance configured with CentOS 7.
Setting up the Master Node
This video guides the student through the setup of the Kubernetes master node. A set of scripts is provided through GitHub, and the student is shown a step-by-step process for enabling the master node with the kubeadm utility. Specific syntax for all of the commands used may be found in a download titled "Kubernetes Playground Setup Instructions" in the downloads tab at the top of this course page.
Setting up the Worker Nodes
This video guides the student through a step-by-step process to enable two worker nodes for the Kubernetes cluster. Ultimately, the kubeadm join command is used to join the nodes to the previously created master node.
Validating the Cluster
This video guides the student in a step-by-step process to validate the master and two worker node cluster that has been created in the previous videos. A simple deployment is done with kubectl that tests the scheduling of the deployment, creation of the ReplicaSet, and ultimately, the running of the pod. Several commands are used to interrogate the cluster status and validate it's functioning properly.
Kubernetes Security Principles and Concepts
This lesson is a review of the Kubernetes Architecture. Prior to discussing security, it is important to have a firm understanding of the architecture. Against the backdrop of the interactive study guide, each Kubernetes component is explained. Some insights into enterprise infrastructures and setting up Kubernetes for high-availability is also covered.
Kubernetes Attack Surface
This lesson covers Kubernetes attack vectors against the backdrop of the Kubernetes architecture previously reviewed. The aim is to offer the student an understanding of how to reduce the attack surface of a Kubernetes cluster.
The Principle of Least Privilege
This lesson discusses the "Principle of Least Privilege" and how Kubernetes security may be used to implement this principle. Namespaces, service accounts, and role bindings are discussed as a means to implement security in Kubernetes using Role Based Access Control (RBAC).
This lesson covers Security Boundaries and how different levels of security apply to unique aspects of the Kubernetes Acrhitecture. This lesson is used to help the student develop a comprehension of the scope of Kubernetes Security, as opposed to topics outside the scope of this course such as server hardening.
Securing a Cluster
Using TLS (Transport Layer Security) to Secure Nodes and Processes
This video covers TLS and explains the various end-point communications that mus be secured with certificates within Kubernetes.
Using Firewalls and VPN (Virtual Private Networks)
This video covers the importance of using firewalls and virtual private networks to limit Kubernetes node and process access. Specific public, hybrid, and multicloud infrastructures are discussed to explain the need for firewalls in front of load balancers configured within Kubernetes.
Setup kube-bench to Harden a Cluster
This lesson guides the student through the installation and run of the kube-bench utility. The utility uses the current benchmark from CIS (Center for Internet Security) to evaluate the cluster configuration. Reports from this utility are used in several of the lessons throughout the course.
This video discusses the security of the kubelet process and interrogates some of the kubelet configuration files on cluster nodes. The lesson utilizes the Aquasec kube-bench utility to point out kublet hardening options and discusses how installers such as the kubeadm utility would be used to configure security-related options for the kubelet.
Securing etcd Key Value Datastore
This video discusses the use of the etcd datastore by a Kubernetes cluster and reviews some of the preliminary configuration flags set up by kubeadm's default installation. The CIS Benchmark is also reviewed to see recommendations on further hardening.
Deploying the Kubernetes Dashboard
This lesson covers the deployment of the Kubernetes dashboard. An admin user will be created and the RBAC role binding will be configured. Heapster and InfluxDB dashboard add-ons will also be installed. Lastly, the kube proxy will be used to run the dashboard on a master node local host. The student is shown how to use an SSH tunnel to access the dashboard from their local browser.
Authentication, Authorization and Admission
The 3 A's of Kubernetes Security
This brief video covers the three steps that Kubernetes uses to enforce security access and permissions. The lesson introduces the topics in this section: Authentication, Authorization, and Admission.
This lesson covers the Kubernetes authentication step in detail and explains the use of certificates, tokens, and other authentication methods. The service account resource is discussed in detail. This lesson is preparation for the Authentication exercise that follows.
This hands-on exercise guides the student through the creation of a service account on their playground Kubernetes instance. Once a service account has been created, the student is guided through the creation of a YAML file and the launch of a pod. The running pod is then interrogated to reveal how the mountable token carries the identification payload needed for Kubernetes authentication.
Authorization and RBAC
This lesson covers the use of RBAC for authorization. A review of the commands for the following exercise is part of this video. The example is how to create a namespace and then create a service account and role binding within that namespace. Lastly, the use of the authorization can-i option is used to test the role binding's permissions on pods and services.
This is a demonstration and step-by-step walkthrough of the commands covered in the Authorization lesson. The student is guided through a look at cluster roles and shown the concept of Kubernetes verbs. Then, the student is shown how to create namespaces, create a service account within that namespace, and eventually, a role and role binding for the service account.
The third step of Kubernetes security is the Admission process. It is controlled by options known as admission controllers. This lesson discusses a few of the 30 available admission controllers and briefs the student on recommended options.
This lesson describes the capabilities of a pod spec security-context and uses an example with the runAsUser field along with file system group, fsgroup, and the container directive of AllowPrivilegeEscalation set to false to prevent container applications from assuming root privilege. This lesson is an exercise that the student is then guided through in a step-by-step manner on their Kubernetes playground instance.
Pod Security Policies
This video introduces the student to Pod Security Policies. Cluster-wide use with ClusterRoles is explained as well as use within a namespace for specific service accounts. This lesson explains the use of RBAC role binding to enable pod security policies. This lesson is an introduction to the lab that follows which illustrates these features in a hands-on lab.
Establishing an Immutable Cluster Architecture
This is a brief lesson that discusses the architecture of a system that uses a "Jump Server" or "Bastion Host" as the platform to create Kubernetes clusters and administrate them on an ongoing basis. This video introduces the kops and kube-aws installers that are then used in the upcoming labs.
Third-Party CI/CD Tools
This lesson covers a bit about the Agile and DevOps process to illustrate the way containers are fed into a Kubernetes infrastructure. The main point is to explain the importance of container security and cover why students must go beyond Kubernetes security to ensure the safe running of a cluster.
This video discusses the fundamental concepts behind network policies and explains how they might be implemented through YAML. This video also explains some of the plugins that are required for network policies to be used.
This lesson covers the Kubernetes object type of Secret. This explains how usernames, passwords, and other data may be securely staged and stored in Kubernetes etcd key value store, and then made available to container applications within pods. This lesson is a brief introduction of the workflow that is then covered in a hands-on fashion in the lab.
Conclusion and Next Steps
This video discusses recommended resources for the student to engage in further study.