Security

Story time A funny thing happened today. A remote Raspberry Pi deployed a few years back for $client was having issues connecting with another system. When setting up the Pi, I thought of sharing my ssh key from my laptop so I could SSH into it passwordless-style. But it didn’t occured to younger (and stupider apparently) me to save the password for that account somewhere. And on that system (and generally on Debian I believe), standard accounts are in the sudo group, but not with passwordless access, meaning you can run sudo but you have to enter your session’s password. ...

what & why If you need to give access to your cluster to either another human or for a given service, you should create a dedicated account for it. This is how to do it. To authenticate, humans can use both the ServiceAccount resource (through a token) and as Users (trough a key and crt). Bots or non-human things should only use ServiceAccounts. A word on RBAC Role Based Access Control (RBAC) is a way of separating users from privileges, by introducing roles. Instead of linking users to privlieges directly (Jake has read access on the pods), we link users to roles, which have a given set of privileges (Jake is a developper, and the developper role has read access on pods.). We can now attach multiple users to a role, and albeit it complexifies somewhat the number of ressources, ...

what & why The CKS (Certified Kubernetes Security Specialist) is a great resource for knowing how to secure a kubernetes cluster. It covers a lot of topics, from the cluster side (admission controller, webhooks, audit), app side (Pod Security Policies) and supply chain (image scanning). Another great resource for this is the Kubernetes Hardening Guidance by NSA & CISA But some of the concepts defined in both these resources are very case-specific, and require a lot of time, tools & effort to setup. In some environnements, it might be infeasible to deploy each and every one of those concepts. But that doesn’t mean we should avoid some basic security-minded steps when deploying to k8s. I won’t cover things on the cluster-side (audit, tools like falco, or admission controllers), but how you can improve the security of your front-facing app by adding a few lines here and there. ...