# How to Keep a Kubernetes Pod Secure ![](https://lh5.googleusercontent.com/I07dT9EVXvDOQByDy9rzvcLhwZcG-wToraU_9gWfcXT92kHHyVsaoXTKr4QacMX_5M-IF1PLJ7RPaIQPv5D9K-LJ-w6_GKfppbn8yEP-WOhqrDWLCd5yCr6h8q-bbVeigO6qk2IT) [Photo](https://unsplash.com/photos/f77Bh3inUpE) by [Arnold Francisca](https://unsplash.com/@clark_fransa) on Unsplash Kubernetes security has come a long way since the start of the project. Started by Google in 2014, it has since become a widely popular open source container orchestration system. While this tool has evolved a lot in these 8 years, there are still certain problems that we need to work through on our own.  In this article, we will learn how to protect our Kubernetes pods and clusters and discuss some of the [Kubernetes security best practices](https://www.armosec.io/blog/kubernetes-security-best-practices/). ![](https://lh3.googleusercontent.com/RM0qzf2O8VFUdxS-UOcAMov8ZPDyjeMKSgI5GkIEm6isJdLqlB-GqRmm7DpBxty37eWBpJeYke3TLjAcMJPFjfmqS_W2urG9UJoZMqz0ztd__gZdrj4th4sljq_Ckc649PtN9CH7) ## 1. Enable RBAC Role-based access control ([RBAC](https://csrc.nist.gov/projects/role-based-access-control)) is one of the best security practices in Kubernetes, allowing administrators to grant and limit access to certain users and groups, and specify who can and cannot do what on the Kubernetes cluster. To enable RBAC permissions for Kubernetes resources, we must give a role for a namespaced resource and a ClusterRole for a non-namespaced resource to Kubernetes. RBAC adds an extra layer of security by allowing administrators to create administrative rules, give or take permissions, provide access to users, cluster role binding, and allow role binding. ## 2. Use Security Context to Protect Your Pods and Containers Another best practice is to incorporate security settings in the security context for your pods, containers, and volumes when building your containers and pods. A [security context](https://www.sciencedirect.com/topics/engineering/security-context) is a YAML attribute created upon deployment. It controls the security parameters that are applied to the pod, container, or volume. To incorporate security settings, provide a security context field in the container description. When there is an overlap, security parameters are given for a container that apply only to that container and override pod-level settings. The container parameters have no influence on the volumes of the pod. Create a security policy and a pod by defining the sample PodSecurityPolicy object in a file. This policy prohibits the formation of privileged pods. A PodSecurityPolicy object's name must be a valid string. ## 3. Define Resource Quota and Limit the Range We can also use quota and limit ranges to regulate whether users can request node ports or load-balanced services and whether their applications are visible outside of the cluster on other clusters. A resource quota restricts the quantity or capacity of resources made available to a namespace. This is most commonly used to restrict the amount of CPU, RAM, or persistent storage that a namespace may allocate. However, it can also be used to limit the number of pods, services, or volumes that exist in each namespace. Limit ranges restrict the maximum or minimum size of some of the above-mentioned resources, preventing users from asking unreasonably high or low values for widely reserved resources such as RAM or setting default limits when none are specified. You should create resource limitations to prevent and reduce these hazards. All resources in a Kubernetes cluster are generated with unbounded CPU and memory requests/limits by default. ## 4. Restricting Network Access A namespace's network policies allow developers to control which pods in other namespaces can access pods and ports inside their namespace. Many of the Kubernetes networking providers that are supported now follow network policies. ## 5. Regularly Apply Security Updates to Your Environment  When vulnerabilities in running containers are discovered, you should always update the source image and redeploy the containers. Direct updates (e.g., 'apt-update') to running containers should be avoided because they can break the image-container relationship. With the Kubernetes rolling updates feature, it is extremely simple to upgrade containers. This feature allows for the gradual updating of a running application by upgrading its images to the latest version. ## 6. Only Use Authorized Images It is risky to download and run pictures from unknown sources because they might include vulnerable or malicious containers. It's the same as installing software from an unknown provider on a production server. Use private registries to keep your licensed photographs and only upload approved images or images that you are sure are safe to use to these registries. ## 7. Limit Direct Access to Kubernetes Nodes ![](https://lh3.googleusercontent.com/KjE9WyZIm5fxQLgS-fJAMkFuhuN92fSag3claPgETqRjoyLJKM1_6hN1-o4c_veOSX3oGDpsFLDgkxVo3d8aJXXj5uwiPozUjnbCRBCOzabRzkzEeZNOqzt5trS1-QER47aF9gJ7) [Source](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/the-basics-of-keeping-your-kubernetes-cluster-secure-part-1) To reduce the risk of unauthorized host resource access, you should restrict SSH access to Kubernetes nodes. Instead, tell users to use "[kubectl exec](https://www.containiq.com/post/using-kubectl-exec-shell-commands-examples)", which gives them direct access to the container environment without requiring access or having them log in to the host. Kubernetes plugins may be used to further restrict user access to resources. This enables the creation of fine-grained access control rules for individual namespaces, containers, and actions. ## 8. Prevent Pods from Accessing Host Ports Another common security risk is containers acquiring access to host resources such as host ports or network interfaces. Pod security policies enable cluster managers to establish detailed security controls to limit such access. A simple example is preventing a container from accessing any host ports. ## 9. Prevent Pods from Accessing Certain Volume Types You may want to limit the storage options for containers to reduce expenses or prohibit information access. This may be performed by defining the available volume types in a pod security policy's volumes key. ## 10. Keep Kubernetes Version Up to Date You should always use the most recent version of Kubernetes. Constantly upgrade your Kubernetes version to the most recent version available. Upgrading Kubernetes may be a complicated procedure, but it is important. If you use a hosted Kubernetes provider, see if they manage automated upgrades. ## Conclusion  I hope this article has given you a lot of new ideas on how to keep your pods secure. I have just mentioned the best security practices for Kubernetes, but there are many other practices that you can use to make your Kubernetes application more secure.
Last changed by  
Steven Melanson
391

Read more

Introduction to Front End Testing Automation

<span>Photo by <a href="https://unsplash.com/@cgower?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Christopher Gower</a> on <a href="https://unsplash.com/s/photos/testing?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span> Introduction Many people in the IT industry do not usually think from an end-users' perspective when they come up with something new. Obviously, with the domain knowledge that they have got, sometimes it gets challenging to train users, make them understand metaphors, and, more importantly, change their point-of-view. All of this is occurring due to an increasingly day-by-day difference in opinions between developers and users. For that reason, testing bridges the gap between them and provides successful implementation and deployment of a product. This article will specifically focus on User-Interface Testing and how it impacts the overall delivery of an application. Front-End Testing

7/28/2023
Adopting Zero Trust for Kubernetes

A lot of things have changed as a result of the COVID 19 Pandemic. Due to it, the IT business has had to move at a very quick rate, and now it is common for people to work from home. Now, more than ever before, businesses are working to put into place a variety of security policies and procedures that will ensure the complete safety of their organization's assets. A strategy approach in cybersecurity known as "Zero Trust" protects a business by removing all forms of implicit confidence and continuously validating each stage of a digital connection. This method is designed to keep hackers out. To put it another way, the idea behind this is that you should never believe anything without first checking it out: "Never Trust Always Verify." Utilizing robust authentication and authorization procedures at each level enables the organization to safeguard modern and evolving environments while also facilitating digital transformation. This is one of zero trust's primary purposes. It protects the network in multiple ways, including by segmenting the network, blocking lateral movement, offering Layer 7 threat prevention, and simplifying granular "least access" regulations. Traditional security models that are used today are based on the antiquated assumption that everything contained within an organization's network ought to be implicitly trusted. Because of this implicit trust, once users are connected to the network, they have complete freedom to move laterally and access or exfiltrate critical data. There are no granular security measures to prevent them from doing so. The flaws discovered in this system led to the development of the Zero Trust model. Is the Zero Trust Architecture Really Necessary?

10/26/2022
Dependency Management and Automation with Renovate

Photo by Adam Kool on Unsplash During the project planning phase, one usually lists all the functional and non-functional requirements along with other parameters. If your application is going to handle a range of different tasks, it is often preferred to use dependencies that serve the purpose and fine-tune them as per your requirements. For instance, consider you're building a coding platform. So what are the components that make up a code editor? (Note that we are talking about the layout and the frontend functioning only, and not considering the complete infrastructure.) The minimum requirements to build a coding platform are as follows: Code editor Preview/output window File structure

7/17/2022
Optimizing Developer Productivity Within Your Team

Photo by Carl Heyerdahl on Unsplash Building and shipping a scalable application includes the sweat & tears of multiple teams. However, the core engineering work boils down to a bunch of developers. The product needs to be built well before it is marketed. So, the foremost factor in building a great product is by bringing the best out of the developers. While user experience (UX) has been the buzz of the tech world for quite some time now, developer experience is the new talk of the town. The productivity of developers is always directly related to building a performant and efficient piece of software. Improving Developer Productivity with Developer Experience Putting it in an abstract manner, everything that removes the verbosity in the development cycle directly or indirectly contributes to the betterment of productivity.

5/23/2022
Read more from Steven Melanson
Published on HackMD