Red Hat SummitFoundations of container-level security with Red Hat Advanced Cluster Security for Kubernetes
Red Hat® Advanced Cluster Security for Kubernetes is a Kubernetes-native security platform that enables you to build, deploy, and run cloud-native applications with more security. This learning path guides you through the reasons, methods, and tools used to protect workloads on Kubernetes. It includes reading materials, videos, and a live hands-on demo.
This learning path is for system administrators, security practitioners, or DevSecOps teams
Developers may want to check out “Develop containers using Kubernetes” on developers.redhat.com.
What is Kubernetes security?
Securing the orchestration platform for those containers is just as important as securing the containers themselves. Kubernetes (K8s or Kube), is an open source orchestration platform that can automate deployment, management, and scaling of containerized applications.
Using Kubernetes as your orchestration platform allows for a few built-in security options including:
- Security checks performed during runtime and fixed at build stage
- Segmentation of pods or groups of pods by network policies
- Role-based access control (RBAC)
- Kubernetes secrets for sensitive data
We will learn more about how to implement best security practices as it pertains to Kubernetes.
What will you learn?
- How to maintain security within Kubernetes containers
What you need before starting:
- Nothing, use this as a resource
The pillars of Kubernetes security
Kubernetes has a number of security measures it easily supports and integrates.
Code security
Kubernetes supports declarative configuration with Git as the source of truth. This allows for the same code base being used for builds to be used for deployment across your organization. It also makes it easier to apply security best practices in one place and ensure it applies to whichever use the code is being applied to.
Image security
Images are scanned early and often throughout the development lifecycle, double checking for any errors before they become bigger issues down the line.
Identity and access management
By default, Kubernetes comes with RBAC, which allows for users to be granted certain access privileges as needed with appropriate authentications. This bolsters overall security best practices and reduces any unnecessary exposure of your code.
Data security
Another feature that comes packaged with Kubernetes is etcd data storage, which can be encrypted to protect system data.
Configuration management
Kubernetes comes with tools such as KubeLinter, which can be used to analyze YAML and Helm charts. By checking these files, your organization can make sure the configuration being deployed is uniform and secure.
Secrets management and API security
Using secrets management within Kubernetes provides a nice separation of sensitive data using secrets instead of hosting them in application manifests. Kubernetes also allows for DLS encryption to be applied to your relevant APIs.
Network security
Network policies also come with Kubernetes so that traffic between pods is efficiently controlled. There are also options for ingress and egress rules as needed.
Runtime observability, monitoring, and detection
Some of the many tools Kubernetes can integrate with include Grafana and Prometheus, which can provide security monitoring and runtime anomaly detection.
K8s security in motion
With the many security capabilities of Kubernetes, how do they get applied throughout the container lifecycle?
From the earliest stage of the container lifecycle, the build stage, Kubernetes’s approach to security is a shared one. This includes measures such as automating container pipelines, using Kubernetes deployment analysis, private registries to manage images, and automating application deployment.
Once in the deploy stage, Kubernetes is safeguarded by reducing any potential attack surface. This can be accomplished by using an operating system optimized for containers, automating configuration management and policy enforcement across clusters, implementing least-privilege access with more refined role-based access controls, and running compliance checks against internet best practices.
Finally, in the run stage, users can further protect their containers using isolation and resource management. This is accomplished through application monitoring and logging with service mesh visualization, as well as threat detectors to kill pods quickly based on anomalous behavior.
These measures go well with Red Hat® OpenShift® clusters and Red Hat Advanced Cluster Security for Kubernetes, which can support these best practices. We can find out how in the next resource.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}