Comparing the Leading Tools That Scan Against the CIS Kubernetes Benchmark Framework
CIS Benchmarks are a focused set of guidelines for the secure configuration, vulnerability detection, and...
Mar 20, 2024
Kubernetes 1.30 marks a significant milestone in the evolution of the widely used orchestration platform, particularly regarding security enhancements and developer experience.
This post will explore updates encompassing secrets management, node and cluster management, data security and additional security measures. Each of these improvements strengthens the Kubernetes framework, making it a more secure and reliable platform for enterprises and developers.
The Kubernetes 1.30 release brings several enhancements that focus on enhancing the security of sensitive data and bolstering the overall security posture of Kubernetes clusters.
The new Kubernetes release addresses many Kubernetes Enhancement Proposals (KEPs) that strengthen the security and management of sensitive data in Kubernetes.
KEP #2535 aims to enhance the security of sensitive data by enforcing stricter access controls on images after they have been pulled to a node.
The primary goal is to ensure secure image access with the IfNotPresent image pull policy. The proposal includes changes in the kubelet’s image pull and access mechanisms to enforce proper access to images, particularly those pulled with secret credentials.
The following example defines a pod with an imagePullPolicy of IfNotPresent and an imagePullSecret. With the enhancement, the kubelet ensures that pods attempting to access the image are authenticated if they do not have the same imagePullSecret:
apiVersion: v1 kind: Pod metadata: name: secret-image-pod spec: containers: - name: container image: my-private-image imagePullPolicy: IfNotPresent imagePullSecrets: - name: my-registry-key
This enhancement significantly strengthens Kubernetes’ defense against unauthorized access and potential security breaches by implementing stricter controls on already-pulled images.
KEP #2799 seeks to reduce the surface area of secret-based service account tokens, which are less secure than bound tokens. This involves changes in the service account control loop in the token controller to stop auto-creating secrets for service accounts. It also includes purging unused auto-generated secret-based service account tokens.
When you create a new service account, the token and its secret will not be generated automatically:
$ kubectl create sa token-test serviceaccount/token-test created $ kubectl get sa test-sa -o yaml apiVersion: v1 kind: ServiceAccount metadata: name: token-test namespace: default $ kubectl get secrets No resources found in default namespace.
By reducing the reliance on secret-based service account tokens, Kubernetes is moving towards more secure and simple handling of access credentials. This is particularly important for large-scale and security-sensitive deployments, where managing service account tokens can be challenging.
KEP #4193 in Kubernetes 1.30 focuses on enhancing bound service account tokens, providing more robust and secure service account management. The improvement aims to improve the security and usability of bound service account tokens, which are tied to specific pods and are more secure than traditional, non-bound tokens. The KEP proposes several changes, including adding a JWT ID (JTI) and node reference in issued service account tokens to make the tokens more traceable and secure.
By binding tokens to specific pods and adding additional identifiers like JWT IDs, Kubernetes makes it harder for malicious actors to exploit these tokens. This is a key update for organizations that rely on Kubernetes for critical applications, as it provides an additional layer of security for service account management.
This section reviews major updates on node and cluster management, emphasizing new features that streamline administration and bolster security measures.
KEP #2258 introduces the node log query feature in Kubernetes 1.30, adding a kubelet API for viewing system service logs on nodes. This simplifies cluster administration and enhances security by allowing data access without additional system access.
The general usage of the new feature can be illustrated as follows:
kubectl get --raw "/api/v1/nodes/worker/proxy/logs/?query=kubelet&pattern=error"
In this example, the command retrieves logs from the kubelet service running on the worker node with an error in their log line. This simplifies log retrieval, which previously required SSH access to the node.
KEP #3488 implements the Common Expression Language (CEL) for admission control, allowing for more dynamic and expressive policies in Kubernetes admission controllers. This involves integrating CEL as a language for writing admission control policies, enabling more complex and nuanced rules than possible with the existing admission controllers.
In the following example, a validating admission policy is defined with a CEL expression to validate admission requests:
apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: name: "replica-limit-policy.armosec.io" spec: matchConstraints: resourceRules: - apiGroups: ["apps"] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] resources: ["deployments"] validations: - expression: "object.spec.replicas <= 10"
The introduction of CEL for admission control enables administrators to define more complex and tailored policies, improving the overall security posture of Kubernetes clusters. This is significant for organizations with complex security requirements, as it allows them to create finely tuned policies that precisely match the security needs of different applications and environments.
The Kubescape community has already created a library of admission policies in CEL. Feel free to use them for an easy trial of this beta functionality.
KEP #3716 aims to introduce CEL expression filters as a stable feature to webhooks, allowing webhooks to be scoped more narrowly and precisely.
For example, with CEL match conditions, you can define complex match rules to exclude lease resources under the coordination.k8s.io group:
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration ... rules: - operations: - CREATE - UPDATE apiGroups: '*' apiVersions: '*' resources: '*' matchConditions: - name: 'exclude-leases' expression: '!(request.resource.group == "coordination.k8s.io" && resource.resource == "leases")'
KEP #3716 lets administrators define more fine grained and tailored policies. As with the previous update, this is particularly important for companies that need customized policies for unique security requirements.
This section covers Kubernetes 1.30 updates that safeguard data integrity and enhance compliance within Kubernetes volumes.
This enhancement aims to prevent unauthorized volume mode conversion during the restoration of a volume from a snapshot. This involves changes in the Container Storage Interface (CSI) and Kubernetes storage components to ensure that volume mode conversion is explicitly authorized and controlled.
In the following example, a PersistentVolumeClaim (PVC) is defined from a VolumeSnapshot. It includes an annotation that requires explicit authorization to perform volume mode conversion:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: my-pvc spec: dataSource: name: my-volume-snapshot kind: VolumeSnapshot apiGroup: snapshot.storage.k8s.io snapshot.storage.kubernetes.io/allow-volume-mode-change: "true"
The introduction of this feature boosts the security of data in Kubernetes volumes by requiring authorization for this sensitive activity. This is crucial for environments where data security and integrity are critical, providing additional protection against unauthorized data manipulation.
This Kubernetes 1.30 update focuses on speeding up the container startup time by optimizing the SELinux label change process. The improvement seeks to mount volumes using the appropriate SELinux label, rather than recursively modifying the SELinux label of each file within the volumes.
For the following pod definition, the mounted volume, volume-1
, will be labeled with the specific SELinux label at mount time, resulting in a faster container startup process:
apiVersion: v1 kind: Pod ... volumeMounts: - name: volume-1 mountPath: /data securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: volume-1 persistentVolumeClaim: claimName: pvc-1
The optimization of the SELinux label change process significantly enhances the startup time of containers in Kubernetes, especially in environments with a large number of files in volumes.
KEP #127 introduces support for user namespaces in pods. It enhances pod isolation to mitigate high/critical CVEs, and supports custom UID/GID ranges. This involves changes to provide a way to remap UIDs and GIDs in a pod to different values in the host system.
The following example defines a pod that does not use host users, which is explicitly mentioned in the spec:
apiVersion: v1 kind: Pod metadata: name: ns-test spec: hostUsers: false containers: - name: sleep command: ["sleep", "infinity"] image: debian
Introducing user namespaces in pods greatly improves the security and isolation of workloads in Kubernetes, by bringing this valuable functionality to the pod level. This is important for environments that require strict security and isolation between pods, as it provides a more robust mechanism to prevent privilege escalation and other security threats.
Kubernetes 1.30 brings a slew of additional new features and updates that further enhance the platform’s security landscape, from container isolation to authorization controls.
KEP #4191 separates between the writable and read-only layers of the container’s filesystem.This provides more robust isolation, reducing the risk of unauthorized modifications to the filesystem. Which is particularly important for environments where container security is a top priority, as it provides additional protection against potential security threats.
KEP #24 adds support for AppArmor profiles, which offer a powerful mechanism for defining and enforcing security policies at the container level. This involves integrating AppArmor support into Kubernetes, enabling the use of AppArmor profiles and adding a layer of protection against various types of security threats.
Profiles can be specified in pod annotations as follows:
apiVersion: v1 kind: Pod metadata: name: apparmor annotations: container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-deny-write ...
This enhancement is significant for environments that require stringent security measures, as it allows administrators to define custom security policies tailored to the specific needs of their applications.
This update introduces structured authorization configuration, allowing for more granular and customizable authorization controls in Kubernetes, including the use of multiple authorization webhooks.
The following example shows how to protect resources in kube-system namespaces with AuthorizationConfig:
apiVersion: apiserver.config.k8s.io/v1alpha1 kind: AuthorizationConfiguration authorizers: - type: Webhook name: system-crd-protector matchConditions: ... - expression: request.resourceAttributes.namespace == 'kube-system' - expression: request.resourceAttributes.verb in ['update', 'delete','deletecollection'] ...
The introduction of structured authorization configuration lets administrators define more fine-grained and tailored policies. This improves the overall security posture of Kubernetes clusters and is particularly important for organizations with complex security requirements.
In Kubernetes 1.30, the SecurityContextDeny admission plugin, which has been deprecated since version 1.27, is officially removed. This plugin previously denied pod creation requests that defined specific security context settings. Its removal marks a noteworthy shift towards more modern and flexible security practices in Kubernetes. As a recommended replacement, Kubernetes now advocates using the PodSecurity admission plugin, which offers a more comprehensive and nuanced approach to managing security contexts in pods.
In this section, we shift the spotlight to developer-focused improvements in Kubernetes 1.30, which streamline development processes and reinforce the overall security framework.
KEP #4402 introduces the use of Go multi-module workspaces for Kubernetes. Thus, simplifying the management of multiple Go modules and enhancing the developer experience. You can learn more about using workspaces in Go via its official tutorial and start using the go.work file, which is part of the main Kubernetes repository.
Shout out to Tim Hockin for pushing this through over 18 months.
Kubernetes now has sleep action for the preStop hook, enhancing the control over pod termination processes. In the following deployment spec, when a pod delete event is sent, the preStop hook will delay the shutdown by 5 seconds:
apiVersion: apps/v1 kind: Deployment ... spec: containers: - name: nginx image: nginx:1.16.1 lifecycle: preStop: sleep: seconds: 5 ...
This feature allows for a more graceful shutdown of pods, and is particularly important in scenarios where immediate termination could lead to data corruption or incomplete transactions.
KEP #1610 introduces container resource-based pod autoscaling, which allows for more dynamic and efficient application scaling. This involves extending the HorizontalPodAutoscaler (HPA) to support scaling according to the consumption of containers within a pod rather than just the pod-level metrics.
In the following example, an HPA is defined to scale a deployment based on the CPU utilization of individual containers. The HPA will adjust the number of replicas to maintain an average CPU utilization of 50% across all containers:
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: my-hpa spec: ... metrics: - type: ContainerResource containerResource: name: cpu target: type: Utilization averageUtilization: 50
This functionality is particularly beneficial for complex applications with varying resource demands across their containers. It allows for tailored scaling strategies that can improve resource utilization and application performance.
This update aims to improve dynamic resource allocation (DRA) using structured parameters. This enables the kube-scheduler and Cluster Autoscaler to manage and simulate the allocation of claims independently, without the need for a third-party driver. The #4381 enhancement provides a more robust mechanism for managing resources in Kubernetes. Which is particularly beneficial for complex applications and environments that require fine-grained control over resource allocation. This change is abstracted away from the end-user with no modification required in the pod spec and it results in more efficient scheduling.
Kubernetes 1.30 brings enhancements that collectively improve the security, scalability, and developer experience within Kubernetes environments. Here’s a summary of the key takeaways:
Overall, Kubernetes 1.30 reflects the community’s commitment to advancing the platform’s capabilities regarding security and developer experience. To access further details and updates, visit the Kubernetes changelog on GitHub or follow Kubernetes’ own blog.
The only runtime-driven, open-source first, cloud security platform:
Continuously minimizes cloud attack surface
Secures your registries, clusters and images
Protects your on-prem and cloud workloads
CIS Benchmarks are a focused set of guidelines for the secure configuration, vulnerability detection, and...
Originally appeared on The New Stack. More and more organizations rely on Kubernetes to deploy and manage...
The dynamic world of Kubernetes and cloud security is constantly evolving. As we explore this...