PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2025-07-23T19:26:00+00:00

SE Radio 678: Chris Love on Kubernetes Security

Chris Love, co-author of the book Core Kubernetes, joins host Robert Blumen for a conversation about kubernetes security. Chris identifies the node layer, secrets management, the network layer, contains, and pods as the most critical areas to be addressed.

The conversation explores a range of topics, including when to accept defaults and when to override; differences between self-managed clusters and cloud-service provider-managed clusters; and what can go wrong at each layer -- and how to address these issues. They further discuss managing the node layer; network security best practices; kubernetes secrets and integration with cloud-service provider secrets; container security; pod security, and Chris offers his views on policy-as-code frameworks and scanners.

Brought to you by IEEE Computer Society and IEEE Software magazine.

Chris Love, co-author of the book Core Kubernetes, joins host Robert Blumen for a conversation about kubernetes security. Chris identifies the node layer, secrets management, the network layer, contains, and pods as the most critical areas to be addressed. The conversation explores a range of topics, including when to accept defaults and when to override; differences between self-managed clusters and cloud-service provider-managed clusters; and what can go wrong at each layer — and how to address these issues. They further discuss managing the node layer; network security best practices; kubernetes secrets and integration with cloud-service provider secrets; container security; pod security, and Chris offers his views on policy-as-code frameworks and scanners.

Brought to you by IEEE Computer Society and IEEE Software magazine.

Show Notes

References

  • FairWinds white paper: “5 Kubernetes Security Tools You Should Use”

Related Episodes

  • SE Radio 416: Adam Shostack on Threat Modeling
  • SE Radio 619: James Strong on Kubernetes Networking
  • SE Radio 591: Yechezkel Rabinovich on Kubernetes Observability
  • SE Radio 600: William Morgan on Kubernetes Sidecars and Service Mesh
  • SE Radio 634: Jim Bugwadia on Kubernetes Policy as Code

Transcript

Transcript brought to you by IEEE Software magazine.

This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.

Robert Blumen 00:00:19 For Software Engineering Radio, this is Robert Blumen. I have with me Chris Love. Chris works at Modernize as a distinguished engineer. Chris and Jay Vyas are co-authors of the book Core Kubernetes, and Chris is a Google Cloud certified fellow. Chris, welcome to Software Engineering Radio.

Chris Love 00:00:40 Thank you Robert. Really appreciate you having me come and speak with you folks today.

Robert Blumen 00:00:45 Happy to have you. We’re going to take advantage of your being here to talk about Kubernetes security. Now, Kubernetes is a distributed system except external traffic. It uses compute resources. Is there such a thing as Kubernetes security or is it just about following best practices that are well known for these types of systems?

Chris Love 00:01:09 I think it’s both. I think of course it’s best practices like update your software dependencies, update your dependencies from your operating system. It’s that, but now you’re running a containerized system, so you have to remember to update the dependencies in the container as well as update your host version of Bash. So of course there’s intricacies to it. We’re running a nice distributed system that allows us to do complicated stuff like scaling and we have failover, but because of that, we’ve got a little bit more complicated networking that can cause some challenges from a security standpoint. But we have other distributed systems that we’ve been using for a while. Most of them are based around containers, but there’s definitely some wrinkles. But like you said, at the end of the day, it’s an API layer. You’ve got a bunch of compute nodes, which are either your servers or your EC2 instances or your GKE instances and you’ve got a bunch of containers running around. So I would say it’s non-trivial, but it’s not rocket science. It’s not as challenging as catching a rocket with a couple chopsticks.

Robert Blumen 00:02:15 The overall umbrella of Kubernetes security, it has many subtopics more than we can cover in an hour. If you were to pick a few that are most important to focus on, what’s your short list?

Chris Love 00:02:28 I would try to group them into, I kind of go from a large world internal, so we could talk about what to expect when setting up a Kubernetes cluster. So overall security, then you can go down to a no level security from there, network security, from there pod security, and from there container security. Container security is well documented, but I think some folks either don’t have the time and money to put those in place. Operating system security, I’m not going to talk to you about. There’s lots of other references that folks can go to that I always look at myself as a Lego engineer, right? We’ve got building blocks. Some are unique to Kubernetes, and like you said, some operating system security is operating system security, but typically on an operating system you aren’t running two different network layers and that’s what you get within Kubernetes.

Robert Blumen 00:03:20 So it’d be a good time for me to let the listeners know we did an entire episode on Kubernetes Networking number 619. We will return to that a little bit later. Let’s go down your list, Chris, and hit these things in order. Starting with setting up Kubernetes overall security, what are some of the main points that should be addressed?

Chris Love 00:03:41 Right. You want to think about from a network layer, from a node setup layer, and from an overall like account permissions layer. Again, if you’re running in a data center, this is a little bit different, right? But I would say majority of people that are running in Kubernetes are running within AWS or GKE or Azure or pick your Cloud provider. So there’s always some gotchas around those Cloud environments. For instance, you want to make sure that the role that you’re setting up your cluster with and the role that the cluster’s running with are the correct roles. You don’t want to set your cluster up with a role that is an account level admin. You want to give your Kubernetes cluster and your Kubernetes nodes the right level of permissions. So that means setting up a user before you set up Kubernetes. From there also, look at a private network.

Chris Love 00:04:33 Don’t expose your nodes to the public. In other words, Port22 on node A should not be accessible via an external network. You’re going to need to VPN into your nodes, and realistically, developers and admins shouldn’t necessarily have to at a node level. Also, your API layer or web API should also be behind a firewall that should be networked in. It should be on a private network where folks aren’t able to access it. And people, we’ve had bugs in Kubernetes where authentication for very short amount of time was broken at the API layer. And fortunately, the folks that maintained Kubernetes fixed it pretty fast. But it was overnight where if you had a publicly exposed API and you had X, Y, Z version of Kubernetes, people could just do a coup control command right to it. So doing some basic setup before you are thinking through your security model and your security setup before you set up a cluster is really important. IP spacing, for instance, that gets folks in

[...]

Original source

Reply