Stronger Cloud Security in Five: 3 Quick Ways to Improve Kubernetes Security in GCP
In this fifth installment of Tenable’s “Stronger Cloud Security in Five” blog series, we offer three best practices for quickly hardening your Kubernetes environment’s security in GCP: remove wide inbound access to cluster APIs; remove root permissions from containers; and remove privileged permissions from publicly accessible groups.
Securing your Kubernetes environment is critical in order to protect your cloud application development lifecycle and your container orchestration. However, properly configuring and managing Kubernetes is complicated, and this often leads to lax security controls that put organizations at an elevated risk for a breach.
As the “Tenable Cloud Risk Report 2024” found, security weaknesses in Kubernetes environments aren’t the exception – they’re the norm:
- 78% of organizations have publicly accessible Kubernetes API servers, and 41% of those are set to allow inbound internet access.
- 44% run privileged containers, which have access to the host’s resources and kernel capabilities, making them a major risk if attackers gain access to them.
- 58% have cluster-admin role bindings, which give some users complete control over all of their organizations’ Kubernetes environments.
Here we outline three best practices that take no more than five minutes to implement and that’ll quickly boost the security of your Google Cloud Platform’s (GCP) Kubernetes environment. Read on!
Remove wide inbound access to clusters’ APIs
The Google Kubernetes Engine (GKE) API lets you query and manipulate the state of API objects in Kubernetes. Thus, you should configure its authorized networks setting so it restricts inbound internet access to specific IP addresses. Otherwise, if the authorized network setting is disabled, any public IP address can access the Kubernetes API without any restrictions, creating a significant risk for malicious users to tamper with the API.
If you don't use a mechanism to restrict access to your cluster's control plane, it may be exposed to network access publicly.
One way this can be mitigated is to limit the authorized networks that can access the control plane in this way:
- In the GCP Portal, open the resource page of GKE cluster.
- Under the “Networking - Control plane authorized networks” setting, click the pencil button.
- Check “Enable control plane authorized networks.”
- Edit the “Authorized Networks” to allow access only to specific IP addresses that require access to the Kubernetes API.
- Click “Save Changes” to confirm
By taking these steps, you shrink your Kubernetes clusters’ attack surface and reduce the risk that hackers will breach the control plane via brute-force attacks, API vulnerability exploitation and other attack methods.
Remove privileged permissions from containers
If attackers exploit a vulnerability in a privileged container’s application, they could control the container’s host and wreak havoc in your Kubernetes environment. For example, attackers could tamper with host devices and kernel parameters, and make malicious OS system calls, such as retrieving files and disabling security controls.
That’s why we don’t recommend running privileged containers. You should evaluate Kubernetes workloads and flag every container spec that has the securityContext.privileged flag set to “true,” as shown in the screenshot below.
(Source: Tenable)
Here’s how you remediate this:
- For each deployment where a container is provisioned with a privileged security context, set the flag for "privileged" to “false.”
- Add a Pod Security Standard policy to the namespace default.
Remove privileged permissions from publicly accessible groups
You should be aware that the groups like system:anonymous user and system:unauthenticated can be used by anyone with access to the cluster. In GKE, the system:authenticated group, though it may sound more secure, actually allows access to anyone who can identify with any Google identity (e.g., a Gmail account), making it public.
(Source: Google’s “Best practices for GKE RBAC” documentation)
Unfortunately, it’s quite common for organizations to inadvertently grant these groups privileged access, which opens the door for potentially anyone on the internet to access critical resources in your Kubernetes environment.
In addition, combining this with the first issue we discussed — unrestricted network access to the cluster's control plane — grants permissions that can be leveraged by anyone with network access to the control plane, which in turn has network access from anywhere.
This dangerous scenario puts your organization at an elevated risk for a breach if attackers exploit a security flaw in your Kubernetes environment, such as a container pod with a critical vulnerability.
To remedy this simply remove any unnecessary role bindings from the publicly accessible groups.
Conclusion
We hope you’ve found these three Kubernetes security “quick win” tips helpful and valuable. They’re just a small sample of the comprehensive Kubernetes security best practices our cloud security experts can help you adopt and automate with our Tenable Cloud Security cloud native application protection platform (CNAPP).
With Tenable Cloud Security, you can streamline and simplify core Kubernetes security elements across multi-cloud environments, including:
- Obtaining comprehensive, continuously updated visibility into all your resources
- Controlling access to clusters and enforcing least-privilege access
- Enforcing policy and configuration control at scale
- Detecting container vulnerabilities and malware
- Automating remediation and mitigation of security issues, including misconfigurations, policy violations and overprivileged identities
Find out how you can take action to boost your Kubernetes and your overall multi-cloud security in just five minutes.
Learn more:
- "Stronger Cloud Security in Five: The Importance of Cloud Configuration Security"
- "Stronger Cloud Security in Five: How To Protect Your Cloud Workloads"
- "Stronger Cloud Security in Five: Securing Your Cloud Identities"
- “Stronger Cloud Security in Five: How DSPM Helps You Discover, Classify and Secure All Your Data Assets”
Justin Buchanan
Senior Director of Cloud Security Marketing
As Senior Director of Cloud Security Marketing, Justin leads the go-to-market strategy for Tenable's Cloud Native Application Protection Platform. Driven by his background in IT and his passion for deeply understanding customers’ desired outcomes, Justin drives opportunities for Tenable to partner with customers and redefine the future of cybersecurity.
Related articles
Abusing Client-Side Extensions (CSE): A Backdoor into Your AD Environment
Crucial for applying Active Directory Group Policy Objects, client-side extensions (CSEs) are powerful but also present a significant, often overlooked, attack vector for persistent backdoors. Rather than cover well-documented common abuses of built-in CSEs, this article demonstrates how to create c...
Cybersecurity Snapshot: New Standard for AI System Security Published, While Study Finds Cyber Teams Boost Value of Business Projects
Check out ETSI’s new global standard for securing AI systems and models. Plus, learn how CISOs and their teams add significant value to orgs’ major initiatives. In addition, discover what webinar attendees told Tenable about their cloud security challenges. And get the latest on properly decommissio...
Getting Ahead of AI Risk: What Comes Next for Tenable
The acquisition of Apex Security adds a powerful new layer of visibility, context and control to the Tenable One Exposure Management Platform to govern usage, enforce policy and control exposure across both the AI that organizations use and the AI they build....
- Cloud
- Container Security
- Cloud
- Container security