API server:
Ensure the --authorization-mode argument includes RBAC
Turn on Role Based Access Control.
Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --authorization-mode=RBAC,Node
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kube-apiserver-should-pass
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
readOnly: true
- mountPath: /etc/ssl/certs
name: certs
- mountPath: /etc/pki
name: pki
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath:
path: /etc/pki
name: pki
Ensure the --authorization-mode argument includes Node
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'Node,RBAC' has 'Node'
Ensure that the --profiling argument is set to false
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.
--profiling=false
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'false' is equal to 'false'
Fix all of the following violations that were found against the Kubelet:- Ensure the --anonymous-auth argument is set to false.
Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Audit:
/bin/ps -fC kubelet
Audit Config:
/bin/cat /var/lib/kubelet/config.yaml
Expected result:
'false' is equal to 'false'
2) Ensure that the --authorization-mode argument is set to Webhook.
Audit
docker inspect kubelet | jq -e '.[0].Args[] | match("--authorization-mode=Webhook").string' Returned Value: --authorization-mode=Webhook Fix all of the following violations that were found against the ETCD:- a. Ensure that the --auto-tls argument is not set to true Do not use self-signed certificates for TLS. etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
+ - etcd
+ - --auto-tls=true
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -ec
- ETCDCTL_API=3 etcdctl --endpoints=https://[192.168.22.9]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key get foo failureThreshold: 8 initialDelaySeconds: 15 timeoutSeconds: 15 name: etcd-should-fail resources: {} volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}

Solution (Step by Step) :
1. Create a Pod Security Policy (PSP):
- A PSP is a policy that enforces security restrictions on pods. You can define the allowed registries for image pulls within the PSP
- create a PSP YAML file:

2. Define Allowed Registries: - Within the 'spec' of your PSP, create a field 'seLinux' and then define the allowed registries within the 'seLinux' field. - Example:

3. Apply the PSP: - Apply the PSP to your cluster using 'kubectl apply -f restricted-registry-psp.yaml' 4. Create a Service Account: - Create a service account that will be allowed to run pods with this PSP:

5. Bind the PSP to the Service Account: - Add the 'securityContext' field to your deployment and specify the PSP you just created:

- Apply the deployment: bash kubectl apply -f deploymentyaml - Now, the deployment will only be able to pull images from the specified registry.

Solution (Step by Step) :
1. configure RBAC:
- Define fine-grained Role-Based Access Control (RBAC) rules to restrict access to specific resources and actions based on user roles and permissions.
- Create roles and role bindings for different user groups, such as developers, operators, and security auditors.
- Example:


2. Enable TLS and Mutual TLS: - Configure the Kubernetes API server to use TLS for secure communication between the server and clients. - Implement Mutual TLS (mTLS) to enforce authentication for all API requests. - Example:


3. Configure API Server Authentication - Implement custom authentication mechanisms using plugins or external services to authenticate API requests. - Example:

4. Limit Access to Kubernetes API: - Configure network policies to restrict access to the Kubernetes API server from unauthorized sources. - Example:

5. Monitor and Audit API Activity: - Use audit logs to track API requests and identify potential security threats. - Example:

6. Use Security Best Practices: - Implement CIS Kubernetes Benchmark guidelines for configuring the Kubernetes cluster securely. - Example: - Enable strong password policies for all user accounts. - Restrict access to sensitive configuration files. - Regularly update the Kubernetes cluster and its components. 7. Implement a Secure Container Image Policy: - Implement a strict container image policy to ensure that only trusted images are deployed in the cluster. - Example: - Scan container images for vulnerabilities. - Require images to be signed by trusted parties. - Configure image signature verificatiom 8. Secure Kubernetes Secrets and Configuration: - Store sensitive data, such as passwords and API keys, in secrets. - Use secret management tools to securely access and rotate secrets. - Example: - Use Kubernetes Secrets to store credentials. - Implement a secret rotation policy. 9. Use Security Monitoring and Threat Detection Tools: - Deploy security monitoring and threat detection tools to identifry and respond to security incidents. - Example: - Integrate with a SIEM solution. - Use security tools like Falco to monitor for malicious activities. - Implement a security automation and response framework. 10. Regularly Review and Update Security Configuration: - Conduct periodic security audits and reviews to assess the effectiveness of security controls. - Keep security policies and procedures updated to address evolving threats. By implementing these security best practices, you can create a secure and resilient Kubernetes cluster for your critical web application.

Solution (Step by Step):
1. Create a Service Account:
- Create a dedicated Service Account for the application:

2. Configure the Deployment to use the Service Account - Update the Deployment YAML to specify the Service Account:

3. Use RBAC (Role-Based Access Control): - Create a Role and RoleBinding for the Service Account:

4. Apply the Changes: - Apply the YAML configurations using 'kubectl apply -f critical-app.yaml' 5. Restrict Access to the Kubernetes API: - Use kubeconfig files to limit access to the API for specific users or groups. - Use tools like 'kubectl auth can-i' to verify access permissions. 6. Limit Access to Specific Namespaces: - By default, Service Accounts have access to resources in their respective namespaces. - To further restrict access, create a Namespace and limit the Service Account's permissions within that namespace. By implementing these measures, you create a secure environment where only authorized users (through the Service Account) can manage the critical application's Deployment