SentinelOne eBook

Mastering
Kubernetes Security
Top Strategies
Recommended
by OWASP

SENTINELONE EBOOK
 Table of Contents

Introduction 3

What is Kubernetes? 4

Understanding Kubernetes Security 4

Top 10 OWASP Kubernetes Security Risks & Recommendations 5

1. Insecure Workload Configurations 5

2. Supply Chain Vulnerabilities 6

3. Overly-Permissive RBAC 6

4. Policy Enforcement 7

5. Inadequate Logging 8

6. Broken Authentication 9

7. Network Segmentation 10

8. Secrets Management 10

9. Misconfigured Cluster Components 11

10. Vulnerable Components 12

Conclusion 12

Tomorrow’s Threats Require a New Enterprise Security Paradigm 13

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 2

01 Introduction

Kubernetes, a popular open-source container orchestration system,

has gained popularity among enterprises for its ability to manage
and automate large-scale containerized workloads. However, as
with any technology, inherent security risks must be considered
and addressed.

In this eBook, we explore the top ten Kubernetes security risks and provide recommenda-
tions for mitigating these risks.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 3

02 What is Kubernetes?
Kubernetes, commonly referred to as “K8s”, is a container orchestration system that
automates the deployment, scaling, and management of containerized workloads. It was
originally developed by Google and is now maintained by the Cloud Native Computing
Foundation (CNCF).

Kubernetes is a powerful tool that offers self-healing, auto-scaling, and service discovery
features. In addition, it allows developers to deploy their applications as workloads that
can run on any platform that supports Docker containers.

03 Understanding Kubernetes
Security
Teams securing Kubernetes are responsible for addressing all its various layers and
services. Kubernetes security comprises three main components: securing the cluster,
securing nodes, and securing applications.

Securing K8s Clusters

The Kubernetes control plane manages the cluster, including scheduling, scaling, and
monitoring. Securing the cluster includes securing the control plane components, such
as the API server, etcd, and Kubernetes controller manager by enabling authentication,
authorization, and encryption.

Securing K8s Nodes

Nodes are the worker machines in a Kubernetes cluster that run the containers. Nodes can be
secured through the host operating system, by configuring network security, and by securing
the Kubernetes runtime environment. Removing unnecessary user accounts and ensuring
that nothing runs as root are all best practices to consider when securing K8s nodes.

Securing K8s Applications

In Kubernetes, a pod is a container used to run an application. Securing these applications
means securing the pod. Kubernetes provides several security features to help secure
applications. These features can be used to limit resource access, enforce network policies,
and enable secure communication between containers.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 4

04 Top 10 OWASP Kubernetes
Security Risks & Recommendations
The OWASP Foundation was created to improve software security through community-led,
open-source software projects. Here are the top ten strategies recommended by OWASP
for securing Kubernetes ecosystems.

1. Insecure Workload Configurations

Kubernetes manifests contain a plethora of configurations that can affect the reliability,
security, and scalability of a given workload. These configurations should be audited and
remediated continuously to prevent misconfigurations. However, some high-impact manifest
configurations are more likely to be misconfigured than others. Some examples are:

• Running application processes as root inside a container is a common misconfigura-

tion in many clusters. Though root may be required for some workloads, it should be
avoided when possible. If the container were to be compromised, the attacker would
have root-level privileges, allowing actions such as starting a malicious process that
otherwise wouldn’t be permitted with other users on the system.

• To limit the impact of a compromised container on a Kubernetes node, it is recommended

to utilize read-only filesystems when possible. This prevents a malicious process or
application from writing back to the host system. Read-only filesystems are a key
component to preventing container breakout.

• Privileged containers should be disallowed as they can access additional resources

and kernel capabilities of the host. Workloads running as root combined with privileged
containers can be devastating as the user can access the host completely. This is,
however, limited when running as a non-root user. Privileged containers are dangerous
as they remove many of the built-in container isolation mechanisms entirely.

While many security configurations are often set in the securityContext of the manifest
itself, other misconfigurations can be detected elsewhere. They must first be detected in
both runtime and code to prevent misconfigurations. It is imperative to enforce that appli-
cations run as non-root users, run in non-privileged mode, and set ‘AllowPrivilegeEscala-
tion’ to ‘False’ to disallow child processes from gaining more privileges than their parents.

Security teams can use tools such as Open Policy Agent as a policy engine to detect com-
mon misconfigurations like the ones listed above. Using the CIS Benchmark for Kubernetes
is a good starting point for discovering misconfigurations. However, it is important to contin-
uously monitor and remediate any potential misconfigurations to ensure the security and
reliability of a Kubernetes workload.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 5

 2. Supply Chain Vulnerabilities
At various phases of the development lifecycle supply chain, containers take on many forms
and each will present its own unique security challenge. This is because a single container
may rely on hundreds of external, third-party components, diluting the level of trust at each
phase. The most common supply chain vulnerabilities are below:

• Image integrity – Container images are made up of layers, each bringing possible
security risks. Since container images use third-party packages extensively, they can
be dangerous to run within a trusted environment. To mitigate this, it’s important to
ensure image integrity by validating software at each phase using in-toto attestations.
Doing so increases the SLSA level of the build pipeline, which means it is more resilient
against attacks. Additionally, using image signing and verification through cryptographic
key-pairs can detect tampering with the artifacts throughout the DevOps workflow,
which is an essential step in building a secure supply chain.

• Image composition – Container images contain layers, each presenting different

security implications. A properly constructed container image reduces the attack
surface and increases deployment efficiency. Thus, it’s important to create container
images using minimal OS packages and dependencies to reduce the attack surface,
considering using alternative base images such as Distroless or Scratch to improve
security posture and reduce image size. Furthermore, tools like Docker Slim are
available to optimize image footprint for performance and security reasons.

• Known software vulnerabilities – Security flaws are widespread due to the extensive
use of third-party packages in container images. Image vulnerability scanning is crucial
for enumerating known security issues in container images, which should be used
as a first line of defense. Open-source tools such as Clair and trivy statically analyze
container images for known vulnerabilities such as CVEs, and should be used as early in
the development cycle as reasonably possible.

Enforcing policies to prevent unapproved images from being used is also essential. Kuberne-
tes admission controls and policy engines such as Open Policy Agent and Kyverno can reject
workload images that haven’t been scanned for vulnerabilities, use a base image that’s not
explicitly allowed, don’t include an approved SBOM, or originate from untrusted registries.

3. Overly-Permissive RBAC
Role-based access control (RBAC) allows the definition of who has access to what resources
in a cluster and what they can do with those resources. When configured correctly, RBAC
helps prevent unauthorized access and protect sensitive data.

However, if RBAC is not configured correctly, it can lead to overly-permissive settings that
allow users to access resources that they should not have access to or perform actions that
they should not be able to perform. This can create serious security risks, including data
breaches, data loss, and compromise.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 6

 Examples of overly-permissive RBAC include the unnecessary use of cluster-admin in
Kubernetes. Granting access to this “superuser” role gives unfettered control over every
resource in the cluster, which is especially dangerous when used in a ClusterRoleBinding,
which grants the all-powerful cluster-admin privilege to every single Pod in the default
namespace, making the entire cluster vulnerable to attack.

To prevent such an attack, it is crucial to continuously analyze RBAC configurations and

enforce the principle of least privilege (PoLP). This can be achieved by reducing direct
cluster access by end users, avoiding using Service Account Tokens outside of the cluster,
and auditing RBAC included with installed third-party components. Moreover, deploying
centralized policies to detect and block risky RBAC permissions, utilizing RoleBindings to
limit the scope of permissions to particular namespaces, and following the official RBAC
Good Practices is highly recommended.

4. Policy Enforcement
Policy enforcement involves the implementation of rules and regulations to ensure compli-
ance with organizational policies. In the context of Kubernetes, policy enforcement ensures
that the Kubernetes cluster adheres to the security policies set by the organization. These
policies could be related to access control, resource allocation, network security, or any
other aspect of the Kubernetes cluster.

Policy enforcement is essential for ensuring the security and compliance of the Kuberne-
tes cluster. Failure to enforce policies can lead to security breaches, data loss, and other
potential risks. Additionally, policy enforcement helps maintain the integrity and stability
of the Kubernetes cluster, ensuring that resources are allocated effectively and efficiently.

Best Practices for Policy Enforcement in Kubernetes

It is essential to follow best practices to ensure effective policy enforcement in Kubernetes.

Some of these include:

• Defining policies that align with organizational goals and regulatory requirements.

• Implementing policies using Kubernetes-native resources or policy controllers.

• Regularly reviewing and updating policies to ensure they remain relevant and effective.

• Monitoring policy violations and remediating them promptly.

• Educating users on Kubernetes policies and their importance.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 7

 5. Inadequate Logging
Logging is an essential component of any system that runs applications. It involves collecting
and storing data about the system’s behavior and its applications. Logging in Kubernetes is
no different. Kubernetes logs are records of events that occur within a Kubernetes cluster.

These logs can help identify system issues and provide valuable insight into system
performance, security breaches, and data loss. Various sources, including application code,
Kubernetes components, and system-level processes, can generate Kubernetes logs.

Best Practices for Kubernetes Logging

• Use a Centralized Logging System – A centralized logging system collects and stores
logs from all Kubernetes components and applications in a single location. This makes
it easier to identify and respond to issues with the system. There are many different
centralized logging systems available for Kubernetes. Use SentinelOne Security Data
Lake to centralize event logs from all components of Kubernetes cluster.

• Use Standardized Logging Formats – Standardized logging formats make searching

and analyzing logs from multiple sources easier. This is especially important when
using a centralized logging system. Several standardized logging formats are available
for Kubernetes, including JSON and syslog. Security teams will need to choose a format
supported by their logging system and configure their Kubernetes components and
applications to use that format.

• Maintain Complete Logs – When it comes to Kubernetes logging, it’s important to

log everything: application logs, Kubernetes component logs, and system-level logs.
Logging everything ensures a complete picture of system behavior. However, logging
everything can also generate a large amount of data. To manage this data, consider
setting up log rotation and retention policies. Log rotation policies ensure that logs are
rotated and compressed regularly to conserve disk space. Retention policies determine
how long logs are kept before being deleted.

• Use Labels and Annotations – Labels and annotations are a powerful feature of Kuber-
netes that can provide additional context to logs. Labels are key-value pairs that can be
attached to Kubernetes objects, such as pods and services. Annotations are similar to
labels but can contain larger amounts of information. Labels and annotations can filter
and search logs based on specific criteria. For example, security teams can add a label
to all pods that are part of a particular application and then search for logs from those
pods based on the label.

• Monitor Kubernetes Logs – Monitoring logs regularly allows security teams to identify
issues with the system and respond to them quickly. There are many different tools
available for monitoring Kubernetes logs. Use SentinelOne Security Data Lake to detect
anomalies from event logs from the entire Kubernetes cluster.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 8

 • Set Up Auditing – Setting up auditing in Kubernetes enables teams to track changes to
the Kubernetes API server and other Kubernetes components, help identify unautho-
rized system changes, and ensure compliance with security policies. To set up auditing
in Kubernetes, configure the Kubernetes API server to log audit events. These events
can then be sent to a centralized logging system for analysis.

6. Broken Authentication
Broken authentication is a vulnerability that allows attackers to bypass authentication and
gain unauthorized access to an application or system. Authentication is verifying a user’s or
system’s identity, usually by requiring a username and password. If an attacker can bypass
the authentication process, they can gain access to sensitive data, systems, or applications.
In Kubernetes, broken authentication can occur due to several factors, including:

• Weak or compromised authentication credentials – If an attacker can obtain a

user’s credentials, they can bypass authentication and gain unauthorized access to the
Kubernetes cluster.

• Misconfigured authentication settings – Kubernetes supports several authentication

mechanisms, including X.509 certificates, static tokens, and OAuth tokens. Misconfig-
ured authentication settings can leave the Kubernetes cluster vulnerable to attack.

• Insecure communication channels – Kubernetes uses various communication

channels, including the Kubernetes API server, kubelet, and, etcd. An attacker can
intercept and manipulate traffic to bypass authentication if these communication
channels are insecure.

How to Prevent Broken Authentication in Kubernetes

Preventing broken authentication in Kubernetes requires implementing several security

measures, including:

• Strong authentication credentials – Users must use strong and unique passwords or
authentication tokens that are not easily guessable.

• Secure communication channels – Communication channels between Kubernetes

components must be encrypted using SSL/TLS.

• Proper authentication configuration – The authentication mechanisms used in

Kubernetes must be correctly configured to prevent unauthorized access.

• Implementing RBAC – Role-Based Access Control (RBAC) should be used to restrict

access to Kubernetes resources based on a user’s role.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 9

 7. Network Segmentation
Network segmentation divides a network into smaller subnetworks, each isolated. This is
done to improve security by limiting the scope of potential attacks. By isolating different
parts of the network from each other, network segmentation makes it harder for attackers
to move laterally within the network and gain access to sensitive resources.

By default, any workload can communicate with another workload when no additional
controls are put in place in a Kubernetes network. An attacker can leverage this default
behavior by exploiting a running workload to probe the internal network, move to other
running containers, or even invoke private APIs.

How to Implement Network Segmentation in Kubernetes Clusters

Isolating traffic within the context of a Kubernetes minimizes damage and loss should a
container become compromised. Several techniques can be used to implement network
segmentation in Kubernetes clusters to stop lateral movement and still allow valid traffic to
route as normal. Two important techniques are:

• Using Network Policies – Kubernetes supports network policies, which define how
traffic flows between pods and namespaces. Using network policies controls which
pods can communicate with each other and which ones are isolated from the rest of
the cluster.

• Using Network Segmentation Tools – Many third-party tools can implement network
segmentation in Kubernetes clusters. The most popular ones include Calico, Weave
Net, and Cilium. These tools provide advanced network segmentation capabilities,
such as encryption, firewalling, and intrusion detection.

8. Secrets Management
A “secret” is an object in Kubernetes that contains sensitive data such as passwords,
certificates, and API keys. Secrets store confidential data that should be inaccessible to
other users and processes within the cluster. Kubernetes secrets are stored in etcd, a
distributed key-value store used by Kubernetes to store all cluster data.

Kubernetes Secrets Management Best Practices

Though secrets are a very useful function in the Kubernetes ecosystem, they need to be han-
dled with caution. Managing Kubernetes secrets can be broken down into the following steps:

1. Deploy encryption at rest – A potential attacker can gain considerable visibility into
the state of a cluster by accessing the etcd database, which contains any information
accessible via the Kubernetes API. Kubernetes offers encryption at rest; a feature in-
troduced in version 1.7 and v1 beta since 1.13. Encryption at rest safeguards secret re-
sources in etcd, ensuring that the content of those secrets remains hidden from parties

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 10

 that access etcd backups. This feature is still in the beta stage, but it provides an extra
layer of security in situations where backups are not encrypted, an attacker has read
access to etcd.

2. Address security misconfigurations such as vulnerabilities, image security, and

policy enforcement – RBAC configuration should also be locked down, and all Service
Account and end-user access should be restricted to the least privilege, especially
when accessing secrets. Auditing the RBAC configuration of third-party plugins and
software installed in the cluster is also necessary to ensure that access to Kubernetes
secrets is not granted unnecessarily.

3. Ensure that logging and auditing are in place – This helps detect malicious or abnor-
mal behavior, including access to secrets. Kubernetes clusters produce useful metrics
around activities that can be leveraged to detect such behaviors. Therefore, enabling
and configuring Kubernetes audit records and centralizing their storage is advisable.

A few more additional tips and tricks include rotating secrets regularly to reduce the risk of
secrets being compromised, auditing secret access to detect any unauthorized access to
secrets, and using third-party secret management tools such as HashiCorp Vault or Cyber-
Ark Conjur to manage Kubernetes secrets.

9. Misconfigured Cluster Components

Kubernetes clusters are composed of various different components from key-value storage
within etcd, the kubelet, the kube-apiserver, and more. All of the components are each
highly configurable, meaning teams must implement the right security defaults to ensure
their security.

Cluster compromise can happen when there are misconfigurations in core Kubernetes
components. The most commonly misconfigured components on the Kubernetes control
plan and nodes include the below:

• Kubelet – Check that the configuration is set up to deny anonymous authentication.

Also, when communicating with Kubelets, authorization checks should always be
performed. Set the Authorization mode to anything other than ‘AlwaysAllow’ in order to
block unauthorized requests.

• Kube-apiserver – Inspect the internet accessibility of the API server in use and keep
the Kubernetes API off of any public networks.

Performing CIS Benchmark scans and audits can help security teams focus on eradicating
component misconfigurations. Using hosted services such as EKS, GKE, or AKS can help
implement secure defaults and limit some of the options for component configuration.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 11

 10. Vulnerable Components
As Kubernetes clusters run vast amounts of third-party software, security teams will need
to build a multi-tiered strategy to combat vulnerable components. Some best practices on
how to do so are as follows:

• Track CVE databases – A key element in managing known and new vulnerabilities in
Kubernetes is to stay up-to-date on CVE databases, security disclosures, and commu-
nity updates. Security teams can use this intel to build actionable plans to implement
regular patch management processes.

• Implement continuous scanning – Using a tool such as OPA Gatekeeper can be help-
ful in writing custom rules that work to uncover any vulnerable components within a
Kubernetes cluster. Security teams can then track and document these findings to im-
prove their security processes and policies.

• Minimize third-party dependencies – Third-party software must be thoroughly audited

for overly permissive RBAC, low-level kernel access, and vulnerability disclosure
records before deployment occurs.

05 Conclusion
Though Kubernetes is powerful, its adoption comes with the inevitable introduction of
new risks into an environment’s existing infrastructure and applications. Having a compre-
hensive approach to securing Kubernetes ensures security teams can address all types of
vulnerabilities and risks that can affect the individual layers of a Kubernetes cluster.

Following the recommendations provided in this post can set businesses on the right path
to hardening their Kubernetes environments and reduce its attack surface. Through best
practices implementation, security teams managing Kubernetes can gain visibility into their
environments and better control each layer of their Kubernetes deployment.

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 12

 If you would like to learn more about how SentinelOne can help protect
your cloud workloads – wherever they run, AWS, Azure, Google Cloud, or
private data center – we invite you to visit our website. There you will find
customer case studies, demo videos, and more about what makes our
Singularity Cloud product portfolio unique. And when you are ready, our
team of cloud security specialists is ready to connect with your cloud
security experts.

LEARN MORE

Innovative. Trusted. Recognized.

A Leader in the 2022 Magic Record Breaking ATT&CK Evaluation 96% of Gartner Peer InsightsTM
Quadrant for Endpoint • 100% Protection. 100% Detection EDR Reviewers Recommend
Protection Platforms • Top Analytic Coverage, 3 Years Running SentinelOne Singularity
• 100% Real-time with Zero Delays

SENTINELONE EBOOK MASTERING KUBERNETES SECURITY | TOP STRATEGIES RECOMMENDED BY OWASP 13

 Contact us
sales@sentinelone.com
+1-855-868-3733

About SentinelOne
More Capability. Less Complexity. SentinelOne is pioneering the
future of cybersecurity with autonomous, distributed endpoint
intelligence aimed at simplifying the security stack without
forgoing enterprise capabilities. Our technology is designed to
scale people with automation and frictionless threat resolution.
Are you ready?

sentinelone.com

Mastering_Kubernetes_Security_|_Top_Strategies_Recommended_by_OWASP_05222023

© SentinelOne 2023
SENTINELONE EBOOK