Concepts for keeping your cloud-native workload secure.
This section of the Kubernetes documentation aims to help you learn to runworkloads more securely, and about the essential aspects of keeping aKubernetes cluster secure.
Kubernetes is based on a cloud-native architecture, and draws on advice from theCNCF about good practice forcloud native information security.
Read Cloud Native Security and Kubernetesfor the broader context about how to secure your cluster and the applications thatyou're running on it.
Kubernetes security mechanisms
Kubernetes includes several APIs and security controls, as well as ways todefine policies that can form part of how you manage information security.
Control plane protection
A key security mechanism for any Kubernetes cluster is tocontrol access to the Kubernetes API.
Kubernetes expects you to configure and use TLS to providedata encryption in transitwithin the control plane, and between the control plane and its clients.You can also enable encryption at restfor the data stored within Kubernetes control plane; this is separate from usingencryption at rest for your own workloads' data, which might also be a good idea.
Secrets
The Secret API provides basic protection forconfiguration values that require confidentiality.
Workload protection
Enforce Pod security standards toensure that Pods and their containers are isolated appropriately. You can also useRuntimeClasses to define custom isolationif you need it.
Network policies let you controlnetwork traffic between Pods, or between Pods and the network outside your cluster.
You can deploy security controls from the wider ecosystem to implement preventativeor detective controls around Pods, their containers, and the images that run in them.
Auditing
Kubernetes audit logging provides asecurity-relevant, chronological set of records documenting the sequence of actionsin a cluster. The cluster audits the activities generated by users, by applicationsthat use the Kubernetes API, and by the control plane itself.
Cloud provider security
Note: Items on this page refer to vendors external to Kubernetes. The Kubernetes project authors aren't responsible for those third-party products or projects. To add a vendor, product or project to this list, read the content guide before submitting a change. More information.
If you are running a Kubernetes cluster on your own hardware or a different cloud provider,consult your documentation for security best practices.Here are links to some of the popular cloud providers' security documentation:
| IaaS Provider | Link |
|---|---|
| Alibaba Cloud | https://www.alibabacloud.com/trust-center |
| Amazon Web Services | https://aws.amazon.com/security |
| Google Cloud Platform | https://cloud.google.com/security |
| Huawei Cloud | https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety |
| IBM Cloud | https://www.ibm.com/cloud/security |
| Microsoft Azure | https://docs.microsoft.com/en-us/azure/security/azure-security |
| Oracle Cloud Infrastructure | https://www.oracle.com/security |
| VMware vSphere | https://www.vmware.com/security/hardening-guides |
Policies
You can define security policies using Kubernetes-native mechanisms,such as NetworkPolicy(declarative control over network packet filtering) orValidatingAdmissionPolicy (declarative restrictions on what changessomeone can make using the Kubernetes API).
However, you can also rely on policy implementations from the widerecosystem around Kubernetes. Kubernetes provides extension mechanismsto let those ecosystem projects implement their own policy controlson source code review, container image approval, API access controls,networking, and more.
For more information about policy mechanisms and Kubernetes,read Policies.
What's next
Learn about related Kubernetes security topics:
- Securing your cluster
- Known vulnerabilitiesin Kubernetes (and links to further information)
- Data encryption in transit for the control plane
- Data encryption at rest
- Controlling Access to the Kubernetes API
- Network policies for Pods
- Secrets in Kubernetes
- Pod security standards
- RuntimeClasses
Learn the context:
Get certified:
- Certified Kubernetes Security Specialistcertification and official training course.
Read more in this section:
- Pod Security Standards
- Pod Security Admission
- Service Accounts
- Pod Security Policies
- Security For Windows Nodes
- Controlling Access to the Kubernetes API
- Role Based Access Control Good Practices
- Good practices for Kubernetes Secrets
- Multi-tenancy
- Hardening Guide - Authentication Mechanisms
- Kubernetes API Server Bypass Risks
- Linux kernel security constraints for Pods and containers
- Security Checklist
Items on this page refer to third party products or projects that provide functionality required by Kubernetes. The Kubernetes project authors aren't responsible for those third-party products or projects. See the CNCF website guidelines for more details.
You should read the content guide before proposing a change that adds an extra third-party link.
Last modified May 02, 2024 at 3:11 PM PST: Fix typo (ccefac9707)
