Security

This document is designed to list potential attack vectors and solutions to them.

Container Threat Vectors

Kernel exploits
Denial-of-service attacks
Container Breakouts
Poisoned Images
Compromising Secrets

Principles to follow

Minimize the attack surface
Apply the principle of least privilege
Segregation
Don’t forget security in DevOps
Always trust your sources

Practices

Cluster Security

Kube-Bench - Uses CIS Benchmark to evaluate your cluster
Stay up-to-date
OS + Framework Patching

Software Supply Chain

Content Trust : Ensure the integrity of images throughout the life cycle / images haven't been tampered with
Container Image Scanning : Scan all files in container image for vulnerabilities
- AquaSec
- Twistlock
Image Availability : Do you care if images are publicly available?
Open Policy Agent : Only allow pulling from specific container registries

Runtime Security

Enforce least privileges in runtime
- AppArmor + seccomp
- Avoid running container as Root or with Privileges
Whitelist files and executables allowed to access or run

VM/Agent Security

AKS + Kured: Add security patches to Host VM

Monitoring

Log all container administrative user access for auditing
Monitor container activity and user access
Monitor container resource activity

Network Security

Network Policy Enforcement: Enforce network segmentation on running containers
Azure Firewall: Limit egress traffic from cluster

AuthN and AuthZ

Manage access to the cluster
- Kubernernetes RBAC
Manage access within the cluster
- Enable Azure AD for RBAC
- Harden the Dashboard

Secrets and Configs

Azure KeyVault for Secret Management
- BETA: Azure KeyVault Plugin for K8S

Application

Web Application Firewall : L7 Protection from cross-site scripting (XSS) attacks, SQL injection attacks, session hijacking and buffer overflows

References and Credits