Infrastructure Security
Infrastructure security focuses on how organizations build their clusters and
secure their Kubernetes environments. Here are a few best practices to follow
in this area:
• TLS encryption — This goes for all scenarios – master communicating
to a slave, two applications talking to each other and master to worker
nodes. All these need to be encrypted. Istio is an open source service
mesh that can manage microservice deployments and perform
encryptions.
• Bastion host — This is a special purpose computer on a network specif-
ically designed and configured to withstand attacks. Access to masters
should only be done through bastion hosts, which can be hardened and
can monitor users who have privileged access to Kubernetes.
• Private networking — Both Kubernetes master and worker nodes need
to be deployed on private subnets to ensure secure connectivity with
corporate networks, prevent direct reachability from the Internet and
reduce the overall attack surface.
• Network policies — Kubernetes supports network policies that control
how the two parts are communicating with each other. You should start
with a default setting denying everything that is not needed. In a net-
work policy, you can manage on a fine-grain basis all the IP addresses
and protocols coming in and going out.
• Cluster node images — When building in a Kubernetes cluster, you will
be using a Linux image. It needs to be CIS benchmarked to make sure all
the Linux security controls are in place. Not doing the operating system
hardening process can open up the infrastructure to software vulnera-
bilities. When you are scaling the master and worker nodes, make sure
all the Linux security controls are in place.
• Logging and monitoring — You need this to detect anomalies on the
application and infrastructure levels. If there are any attacks or anoma-
lies – high usage or potential compromises – logging and monitoring will
detect them. Application performance monitoring will detect other
breaches such as DDOS attacks.
40 | THE DOPPLER | FALL 2018