“
About Kubernetes
Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management, originally designed by Google, and maintained now by the Cloud Native Computing Foundation.
As a highly complex system composed of an array of different components, Kubernetes is not something easily secured by enabling a security module or installing a security tool.
Instead, Kubernetes security requires teams to address each type of security risk that may impact the various layers and services within a Kubernetes cluster.
- For example, teams must understand how to secure Kubernetes nodes, networks, pods, data, and so on.
- Kubernetes defines a set of building blocks (“”primitives””) that collectively provide mechanisms that deploy, maintain, and scale applications based on CPU, memory or custom metrics.
- Kubernetes is loosely coupled and extensible to meet different workloads. The internal components as well as extensions and containers that run on Kubernetes rely on the Kubernetes API.
The platform exerts its control over compute and storage resources by defining resources as Objects, which can then be managed as such. Kubernetes follows the primary/replica architecture.
The components of Kubernetes can be divided into those that manage an individual node and those that are part of the control plane.
Kubernetes Concepts
As defined by Wikipedia, the Free Encyclopedia:
- Control plane
- Nodes
- Namespaces
- Pods
- DaemonSets
- ReplicaSets
- Services
- Volumes
- ConfigMaps and secrets
- StatefulSets
- Replication controllers and deployments
- Labels and selectors
- Add-ons
- Storage
Pod vs Container Settings
Kubernetes securityContext settings are defined in both the PodSpec and ContainerSpec APIs. If a setting is available and configured in both scopes the container setting will take precedence.
Stay tuned as I will propose more guides about hardening Kubernetes if people ask in comments.
”