Kubernetes and Cloud native security checklist

calendar Apr 6, 2022 ·  · security cncf checklist  ·
: linkedin copy

Cloud native workflow security checklist

Development security

  • Integrate Code Scanning at the CI/CD Process

    • SAST (Static Application Security Testing) tools
      • sonarqube, gosec
      • various language lint itegration the IDE plugins
    • Enabled the gitlab ci security or github action scan

  • Reduce external vulnerabilities via dependency scanning

    • various language dependency check(npm, maven, go.mod, reqirements.txt)
      • dependency-check plugin

  • Use image scanning to analyze container images

    • Avoid unnecessary privileges

      • Rootless containers
        • Make sure the user specified in the USER instruction exists inside the container.
        • use gosu or su-exec to drop to a standard user

    • Don’t bind to a specific UID

    • Make executables owned by root and not writable

      1    WORKDIR $APP_HOME
2    COPY --chown=app:app app-files/ /app
3    USER app
4    ENTRYPOINT /app/my-app-entrypoint.sh

    • Reduce attack surface
      It is a Dockerfile best practice to keep the images minimal.

    • Multistage builds

    • Use trusted base images

    • Update your images frequently

    • Exposed ports Every opened port in your container is an open door to your system. Expose only the ports that your application needs and avoid exposing ports like SSH (22)

    • Prevent confidential data leaks

      • Credentials and confidentiality
        Never put any secret or credentials in the Dockerfile instructions (environment variables, args, or hard coded into any command).
      • Use configuration files and bind mount the configuration files in docker, or mount them from a Kubernetes secret.

    • Build context and dockerignore

    • Linting

    • Locally scan images during development

    • Keep Host and Docker Up to Date

    • Do Not Expose the Docker Daemon Socket

    • Avoid Privileged Containers

    • Limit Container Resources

    • Segregate Container Networks

    • Set Filesystem and Volumes to Read-only

    • Complete Lifecycle Management

      • Implement vulnerability scanning to ensure clean code at all stages of the development lifecycle.
      • Use a sandbox environment where you can QA your code before it goes into production, to ensure there is nothing malicious that will deploy at runtime.
      • Implement drift prevention to ensure container immutability.
      • Create an incident response process to ensure rapid response in the case of an attack Apply automated patching.
      • Ensure you have robust auditing and forensics for quick troubleshooting and compliance reporting

Container security

  • Restrict System Calls from Within Containers
  • Scan and Verify Container Images
  • Use Minimal Base Images
  • Don’t Leak Sensitive Info to Docker Images
  • Secure Container Registries
  • Use Fixed Tags for Immutability
    • Preferring a more specific tag—if an image has several tags, a build process should select the tag containing the most information (e.g. both version and operating system).
    • Keeping a local copy of images—for example, in a private repository, and confirming that tags are the same as those in the local copy.
    • Signing images—Docker offers a Content Trust mechanism that allows you to cryptographically sign images using a private key. This guarantees the image, and its tags, have not been modified.
  • Monitor Container Activity Put tools and practices in place that can help you achieve observability of the following components:
    • Docker hosts
    • Container engines
    • Master nodes (if running an orchestrator like Kubernetes)
    • Containerized middleware and networking
    • Workloads running in containers
  • Secure Containers at Runtime
  • Save Troubleshooting Data Separately from Containers
  • CIS Docker Benchmark.
  • Prevent unsafe containers from running
  • Use rootless
1FROM alpine:3.12
2# Create user and set ownership and permissions as required
3RUN adduser -D myuser && chown -R myuser /myapp-data
4# ... copy application files
5USER myuser
6ENTRYPOINT ["/myapp"]
  • Use multi stage build
1#This is the "builder" stage
2FROM golang:1.15 as builder
3WORKDIR /my-go-app
4COPY app-src .
5RUN GOOS=linux GOARCH=amd64 go build ./cmd/app-service
6#This is the final stage, and we copy artifacts from "builder"
7FROM gcr.io/distroless/static-debian10
8COPY --from=builder /my-go-app/app-service /bin/app-service
9ENTRYPOINT ["/bin/app-service"]

Environments security

  • Incorporate IaC scanning
    • checkov
    • tfsec(Security scanner for your Terraform code)
    • cfn_nag(Linting tool for CloudFormation templates)
  • Secure your host with host scanning
    • aws ssm agent patch and upgrade
    • Falco scanning and detect
  • Check for misconfigurations that renders your infrastructure vulnerable
  • Prevent unsafe containers from running
    • gatekeeper (Gatekeeper - Policy Controller for Kubernetes)
    • connaisseur(An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster)
  • limit the number of users that have access to your hosts, cloud accounts, and resources, and block unnecessary network traffic
    • VPCs, Security groups, network rules, firewall rules, etc. in cloud providers to restrict communication between VMs, VPCs, and the Internet.
    • Firewalls at hosts levels to expose only the minimal set of required services.
    • Kubernetes Network Policies for clusters, and additional tools, like Service Mesh or API Gateways, can add an additional security layer for filtering network requests.
  • Set up real-time event and log auditing
    • Host and Kubernetes logs
    • Cloud logs (CloudTrail in AWS, Activity Audit in GCP, etc.)
    • System calls in containers
  • Fix misconfigurations
  • Patch vulnerabilities