Kubernetes offers many options for securing the clusters or cluster operation. Most of the security settings are not focused on maximum security but are designed for fast deployment and use.
However, Cloud Native gives approaches for a secure cluster that extend the approaches of "Defense in Depth".
In this Kubernetes Security Library, we extend these approaches in the following security layers:
The rule of thumb here is: An insecure container can be intercepted by a secure cluster. However, the vice versa does not apply!
This Kubernetes Security Library is measure-oriented and each measure is assigned to a layer.
Accordingly, a clear order can be established based on the significance of the measures. Furthermore, a distinction is made between Azure AKS and on-premise.
For the sake of clarity, it is always mentioned when it is only possible in Azure AKS or when it is not.
The Kubernetes Security Library is based on the protection goal definition of the "Parkerian Hexad".
This deals with 6 basic protection goals:
Confidentiality
Refers to the property that information is not made available to or passed on to unauthorized individuals.
Usability
Suppose a hacker encrypts one's data using, for example, ransomware. The affected data does not lose its confidentiality, integrity, or availability, but it is no longer usable.
Authenticity
Refers to the accuracy of the originating claim or authorship of the information. For example, one method of verifying the authorship of a handwritten document is to compare the handwriting characteristics of the document with a sample of others that have already been verified. For electronic information, a digital signature could be used to verify the authorship of a digital document using public key cryptography.
Ownership or control
A hacker steals encrypted data, even if the hacker cannot decrypt the data, the person who has been robbed is still concerned that the hacker could do so at any time now. This situation represents a loss of control or possession of information but does not involve a breach of confidentiality.
Availability
Means being able to access information in a timely manner. For example, both a hard disk crash and denial-of-service attacks result in an availability violation. Any delay that exceeds the expected service levels for a system can be called an availability violation.
Integrity
Refers to the accuracy or consistency with the intended state of information. Any unauthorized modification of data, whether intentional or accidental, is a violation of data integrity. For example, data stored on disk is expected to be stable - it should not be accidentally altered by problems with a disk controller. Similarly, application programs should record information correctly and not introduce deviations from intended values.
KubeOps GmbH
Hinter Stöck 17
72406 Bisingen
Germany
