How to Secure Kubernetes Cluster: Best Practices and Examples
To secure a
Kubernetes cluster, enable Role-Based Access Control (RBAC) to limit user permissions, use Network Policies to control pod communication, and manage sensitive data with Secrets. Also, keep your cluster components updated and audit logs enabled for monitoring.Syntax
This section shows key Kubernetes security features and their basic syntax:
- RBAC: Defines roles and binds them to users or service accounts.
- Network Policies: Control traffic flow between pods.
- Secrets: Store sensitive data securely.
yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"] --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress --- apiVersion: v1 kind: Secret metadata: name: my-secret namespace: default type: Opaque data: password: cGFzc3dvcmQ= # base64 encoded 'password'
Example
This example creates an RBAC role to read pods, a network policy that denies all traffic, and a secret storing a password. It demonstrates how to restrict access and protect sensitive data.
yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"] --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress --- apiVersion: v1 kind: Secret metadata: name: my-secret namespace: default type: Opaque data: password: cGFzc3dvcmQ=
Output
role.rbac.authorization.k8s.io/pod-reader created
networkpolicy.networking.k8s.io/deny-all created
secret/my-secret created
Common Pitfalls
Common mistakes when securing Kubernetes clusters include:
- Not enabling RBAC, leaving cluster wide access open.
- Using overly permissive roles like
cluster-adminfor all users. - Not applying network policies, allowing unrestricted pod communication.
- Storing secrets in plain text or in config maps instead of
Secrets. - Ignoring audit logs and not monitoring cluster activity.
yaml
### Wrong: Cluster-admin role given to all users
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-binding
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
### Right: Limited Role and RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioQuick Reference
Summary tips to secure your Kubernetes cluster:
- Enable RBAC and assign least privilege roles.
- Use Network Policies to restrict pod communication.
- Store sensitive data in Secrets, not config maps.
- Keep Kubernetes and its components updated.
- Enable audit logging and monitor cluster activity.
Key Takeaways
Always enable RBAC and assign the minimum permissions needed.
Use Network Policies to control traffic between pods and namespaces.
Store sensitive information securely using Kubernetes Secrets.
Keep your cluster components updated to patch security vulnerabilities.
Enable audit logs to track and monitor cluster access and changes.