Some simple steps to improve the security configurations of your Kubernetes environment:
1. Prevent attackers from determining your Kubernetes version via the /version API by setting the enableDebuggingHandlers bool to false in your Kubelet configuration file
2. Prevent attackers from gaining knowledge about the underlying Kubernetes cluster configuration by removing unauthenticated API access. Multiple ways fix this:
2.1: disable the read-only port entirely by using –read-only-port=0 kubelet flags
2.2: Ensure kubelet is protected using –anonymous-auth=false kubelet flag
2.3: Allow only legitimate users using –client-ca-file or –authentication-token-webhook kubelet flags
2.4: Disable –enable-debugging-handlers kubelet flag to prevent leaking logs, pod, health and command line flag information
3. Restrict anonymous access to the Kubernetes dashboard by using an authenticating proxy with RBAC permissions that restrict access to only what is required.
4. Restrict anonymous access to the Kubernetes API server port. Multiple ways to fix this:
4.1: Review the RBAC permissions to Kubernetes API server for the anonymous and default service account.
4.2: Explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principal.
4.3: Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec.
4.4: Do not enable kube-api’s –insecure-port flag in production and ensure the kube-api is exposed only on an HTTPS port.
5. Ensure your kubelets aren’t exposing endpoints as part of the kubelet’s debug handlers. Multiple ways to fix this:
5.1: Disable –enable-debugging-handlers kubelet flag to prevent exposing the /run, /exec, /portForward, and /attach endpoints.
5.2: Ensure kubelet is protected using –anonymous-auth=false kubelet flag.
5.3: Allow only legitimate users using –client-ca-file or –authentication-token-webhook kubelet flags.
2022 Cybermonk solutions | All Rights Reserved.
