From the Node Up:

The Complete Guide

to Kubernetes Security
With Prisma Cloud
Table of Contents
3 Introduction
4 Chapter 1: Kubernetes Security Basics
4 Kubernetes Is a Many-Layered Beast
5 Kubernetes Native Security Protections
6 Chapter 2: Securing Kubernetes Infrastructure
7 IDEs
7 Continuous Integration
7 Configuration Management
8 Chapter 3: Securing Container Images to Run on Kubernetes
8 Developer Desktop
8 Continuous Integration
9 Container Registries
10 Chapter 4: Kubernetes Runtime Security
10 Visibility
10 Runtime Protection
10 Network Protection
12 Node OS Monitoring
12 Kubernetes Security Audits and Compliance
13 Conclusion

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 2
Introduction
Most discussions of Kubernetes® security focus an automated, systematic set of processes that
on how challenging it is to secure a cluster. Ku- bakes security into the core of the Kubernetes
bernetes offers only a handful of native security build and deployment process. The result is a
features, we’re told, which makes it exceedingly tightly integrated security strategy that mitigates
difficult to secure every layer of a Kubernetes threats at all layers and levels of your stack.
environment.
This e-book explains how to design a security
It’s true that Kubernetes provides few built-in strategy that reinforces, rather than hinders,
security tools and that securing Kubernetes the rest of your Kubernetes-based processes. It
requires addressing multiple types of potential identifies Kubernetes security challenges from
vulnerabilities across multiple layers of infra- the node up and pinpoints specific solutions
structure. That doesn’t mean, however, that you for addressing each of them, with a focus on
need to think of Kubernetes security as being automated, scalable approaches that will keep
hopelessly challenging. Kubernetes-based workloads secure, no matter
how large your cluster is or which type of infra-
On the contrary, the fact that Kubernetes is such
structure you use to host it—on-premises, public
a sprawling platform with so many integrations
cloud, or managed service.
presents an opportunity: it makes it easy to build

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 3
Chapter 1: Kubernetes Security Basics
Before delving into specific types of security
challenges in Kubernetes or strategies for ad-
dressing them, let’s briefly walk through the
essential high-level considerations about Kuber-
netes security.

Kubernetes Is a Many-Layered Beast

First and foremost, it’s important to understand
that Kubernetes is a complex platform that con-
sists of more than half a dozen different compo-
nents. It has an API server for enabling commu-
nications between different parts of a cluster,
a scheduler that manages how workloads are
distributed, and controllers that manage the state
of Kubernetes itself. It also includes an agent that
runs on each node, or server, within a cluster;
and a key-value store, where cluster configura-
tion data is housed.

Figure 1: Managed Kubernetes services architecture

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 4
Those are only the main components of Kuber- Kubernetes Native Security Protections
netes itself. A functional cluster also relies on Kubernetes allows administrators
many other moving parts, including a container
Complicating Kubernetes security further is the to define role-based access control
runtime for executing containers, some type of
fact that, although Kubernetes provides certain (RBAC) policies to help guard against
persistent storage solution, a logging tool, oper-
built-in security features, it is hardly capable of unauthorized access to cluster
ating systems to power each node, and more.
securing itself without help from external tools. resources.
Kubernetes allows administrators to define
Each of these various pieces of a Kubernetes clus- role-based access control (RBAC) policies to help
ter brings its own set of potential vulnerabilities. Native Kubernetes security features like these
guard against unauthorized access to cluster
Container runtimes may be subject to coding plug certain security gaps within a Kubernetes
resources. They can also configure pod security
flaws that enable privilege escalation within a cluster. However, they are of little or no use in
policies and network policies to prevent certain
container. The Kubernetes API server could be addressing many other types of security risks,
types of abuse on pods and the network that
improperly configured, giving attackers the op- such as exploits that impact node operating sys-
connects them. They can impose resource quotas
portunity to access resources that are supposed tems or container runtimes.
to mitigate the disruption caused by an attacker
to be locked down. Vulnerabilities could exist who compromises one part of the cluster. With To build a holistic security strategy for Kuber-
within a containerized application, or within the resource quotas in place, the attacker won’t be netes, then, you need to look beyond the handful
operating systems running on Kubernetes nodes, able to execute a denial-of-service attack by of built-in Kubernetes security features. The
that enable privilege escalation attacks or access depriving the rest of the cluster of sufficient latter can and should be used where appropriate
to sensitive data. These are just a few examples. resources to run (assuming, of course, that the to mitigate security risks, but on their own, they
In short, securing Kubernetes requires securing breach isn’t escalated beyond the part of the don’t even come close to providing all the func-
a broad set of different components, each subject cluster where it originates). tionality you need to secure a cluster.
to its own security needs. There is no single set In the following chapters, we’ll look at what it
of tools or processes that can easily secure all takes to build a comprehensive security strategy
aspects of a Kubernetes cluster against all types for Kubernetes that goes above and beyond the
of vulnerabilities. You need a multi-pronged platform’s limited built-in security functionality.
defense.

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 5
Chapter 2: Securing Kubernetes Infrastructure
The first overarching layer to secure in a Kuber-
netes-based environment is the build layer: the
set of tools that developers use to build code that
will run in a Kubernetes environment.
These tools are not part of Kubernetes itself.
However, because a Kubernetes cluster is only as 1 2 3 4
secure as the code that runs on it, taking steps
to secure code before it is even deployed to a
cluster is a prerequisite for securing all aspects of
Kubernetes.
This chapter explains how to secure Kubernetes Developer CI/CD Pipelines
builds, with a focus on the three main junctions
where you integrate security into your automated
build pipeline: integrated development environ- 1 2 3 4

ments (IDEs), configuration management, and IaC template Vulnerability scan of OS IaC templates Configuration scan
continuous integration. configuration scan packages in Docker configuration scan of Kubernetes app
in developer images in CI/CD before before deploying manifest YAML file
environment pushing to registry to runtime before deploying to
Kubernetes cluster
in runtime

Figure 2: Security in the build pipeline

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 6
IDEs These approaches let
IDEs are the tools developers typically use to Kubernetes administra-
write source code for applications. As the tool tors write code to define
that starts the application deployment pipeline, how a cluster (and the
an IDE is the place where vulnerability scanning infrastructure that hosts
should begin. Most IDEs can integrate with a it) should be configured,
variety of third-party source code vulnerability and then apply that code
scanners to detect potential security flaws in automatically.
application code. In addition to stream-
lining the process of
Continuous Integration provisioning a Kubernetes
Continuous integration (CI) tools host source environment, configura-
code and turn it into binaries that can be deployed tion management tools
into Kubernetes. They represent another stage at offer an opportunity to
which code should be scanned for vulnerabilities. scan configuration files
Like IDEs, CI servers are compatible with a variety for security problems
of vulnerability scanners. before they are applied. Figure 3: Kubernetes policies in Prisma Cloud
Tools like Prisma™ Cloud can do this automat-
Configuration Management ically by comparing your IaC and YAML files to
Today, most Kubernetes application build and those known to be secure. Prisma Cloud integrates
deployment pipelines rely on automated, policy- directly with your source code management sys-
based configuration management in the form tem, such as GitHub® or GitLab®, making it easy
of infrastructure as code (IaC) and YAML files. to build a fully automated process for securing
Kubernetes configuration files that works with
existing build pipelines.

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 7
Chapter 3: Securing Container
Images to Run on Kubernetes
In most cases, applications are deployed on
Kubernetes as container images. (It’s possible When container images are built using
to manage other types of deployment objects on automated workflows, teams will
Kubernetes, including virtual machines, but this likely need to integrate vulnerability
is less common.) Container images are checked and compliance scanning.
for vulnerabilities that can exist within the
container code itself as well as in any upstream
Continuous Integration
dependencies on which the image is based.
When container images are built using automated
Developer Desktop workflows on platforms like Jenkins®, CircleCI®,
or Azure® DevOps, developers and DevOps teams
There are two ways to go about scanning con-
will likely need to integrate vulnerability and com-
tainer images for security issues. The first is to
pliance scanning into these workflows. Security
scan individual images manually, using a tool
platforms like Prisma Cloud can scan these con-
such as twistcli. This is useful if you need to per-
tainer images to identify issues against frame-
form a one-off security check of an image.
works like the Docker CIS Benchmark and enforce
standards based on organization or application
requirements.

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 8
Container Registries
For automated, scalable vetting of container im-
ages, however, you should regularly scan all imag-
es inside a container registry. Registries are repos-
itories that store container images. By integrating
a vulnerability scanner into your registry, you gain
full visibility into any threats that may exist within
the container images stored in that registry.
One challenge in scanning container registries
is that there are a variety of different container
registries available. Some Kubernetes distribu-
tions, such as Red Hat® OpenShift® and managed
Kubernetes services hosted in public clouds,
come with their own built-in registries. Others
allow administrators to choose from a variety of
third-party registries.
This diversity of registry options and configura-
tions makes it important to choose a container
image scanning tool that can integrate with any
type of registry. Prisma Cloud provides this flexi- Figure 4: Container image registry scan results in Prisma Cloud
bility, allowing administrators a one-stop image
scanning solution no matter how their Kubernetes
cluster is configured.

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 9
Chapter 4: Kubernetes Runtime Security
Securing an application once it has been deployed Security teams may not know where all their Instead, look for a Kubernetes runtime protection
into a cluster is the most complex aspect of clusters are running, and they may therefore lack solution like Prisma Cloud, which automatically
Kubernetes security. This is because there are so cohesive information on overall security posture. learns how applications deployed in Kubernetes
many types of vulnerabilities that can impact an With Prisma Cloud, security teams gain continu- behave under different conditions. With this
application when it is running, and those vulner- ous visibility into cluster locations using API data insight, users can effectively distinguish normal
abilities have the potential to be exploited via the from the public cloud service providers (CSPs) in shifts in application behavior from those that
application itself as well as through Kubernetes. addition to configuration and compliance status. reflect a security problem.
There are several steps you can take (beyond
Runtime Protection Network Protection
securing applications before deployment, using
the guidance offered in preceding chapters) to Collecting environment data from Kubernetes is Network-based security threats can impact
mitigate the security risks of an application after relatively straightforward. A key challenge in us- Kubernetes in two distinct ways: via public-
it has been deployed. ing that data to monitor for security issues, how- facing networks that connect applications to
ever, is that Kubernetes clusters tend to change the internet, and via internal networks that
Visibility constantly as nodes come offline or shut down, Kubernetes containers use to exchange data
applications are scaled up and down in response within each other.
Above all, it’s critical to maintain continuous vis-
to shifts in demand, and so on. As a result, it’s
ibility into your Kubernetes services and resourc-
impossible to establish a baseline of “normal”
es. Breaches can happen in a variety of ways. The
activity and measure anomalies against it.
more data you collect about the application en-
vironment, the greater your chances of detecting
an anomaly that will alert you to a breach.

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 10
Detecting signs of malicious activity on both
types of networks is therefore crucial for
securing Kubernetes network resources. Because
network activity, like the rest of a Kubernetes
environment, fluctuates constantly—as do the IP
addresses of containers—you need a container-
aware network scanner that understands the
nuances of network traffic in a Kubernetes clus-
ter. You also need a firewall tool that allows you
to define rules to protect against network-based
threats, and then either alerts you or blocks
threats automatically when rules are violated.
Prisma Cloud’s container-aware network scan-
ning and Layer 4 firewall functionality does all
of this.

Figure 5: Network topology and container security visualization within Prisma Cloud

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 11
Node OS Monitoring
An attacker who takes control of the operating
system running on a node within your Kuberne-
tes cluster can wreak havoc of all kinds. Thus, it’s
critical to monitor not just the internal com-
ponents of Kubernetes, but also the operating
systems that power each of your nodes.
Ideally, you’ll be able to do this using the same
monitoring solution that tracks your Kubernetes
applications so that you won’t need to rely on Figure 6: Kubernetes cluster investigation detail in Prisma Cloud
multiple tools and monitor multiple dashboards
to detect threats that originate from internal
and external sources. Prisma Cloud, which can will help you stay ahead of security problems or You can then map those checks to pre-built com-
monitor any type of operating system or cloud misconfigurations you may be overlooking that pliance templates for common frameworks like
infrastructure as well as Kubernetes, offers ho- could give attackers an entry point into your PCI DSS, HIPAA, GDPR, and NIST SP 800-190.
listic monitoring functionality. cluster or applications. You can also write your own compliance checks,
with support for cloud native technologies like
Prisma Cloud enables top-to-bottom Kubernetes
Kubernetes Security security audits that check all components of the
Open Policy Agent or Kubernetes AuditSink. This
Audits and Compliance cluster for deviation from established bench-
can be useful if you need to meet industry-spe-
cific compliance rules or if you are deploying
Finally, implement a regular auditing process marks and best practices, such as the Kubernetes
a custom line-of-business application with
that scans all layers of your Kubernetes cluster CIS Benchmark. It includes more than 100
security needs that generic audit policies do not
and configurations to ensure they align with in- built-in customizable checks for configurations,
address.
dustry standards and best practices. Audits won’t communications, and more, set for each applica-
necessarily detect threats in real time, but they tion or environment.

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 12
Conclusion
Kubernetes security can seem daunting, not least Prisma Cloud provides the comprehensive set of
because there are so many different moving parts security features that teams need to address all
to secure. It’s possible, however, to leverage a facets of Kubernetes security. It also integrates
central tool set to address the various aspects of natively with Kubernetes and a variety of associ-
Kubernetes security. Kubernetes native security ated tools, making it easy to bake security into the
features will get you partway there, but it’s also Kubernetes build, deployment, and management
essential to leverage external tools that can ad- processes your team already has in place.
dress vulnerabilities such as malicious code within
To learn more about using Prisma Cloud for Ku-
container images, audit Kubernetes configurations
bernetes security, visit our website.
for security risks, and provide ongoing monitoring
to detect threats in real time.

Prisma by Palo Alto Networks | From the Node Up: The Complete Guide to Kubernetes Security 13
Prisma Cloud by Palo Alto Networks
Prisma™ Cloud is the industry’s most comprehensive cloud native security platform (CNSP)
with the industry’s broadest security and compliance coverage—for applications, data, and the
entire cloud native technology stack—throughout the development lifecycle and across hybrid
and multi-cloud environments.
The platform offers an integrated approach that enables security operations and DevOps teams
to collaborate effectively and accelerate secure cloud native application development.
Prisma Cloud protects and integrates with cloud native architectures and toolkits to ensure
complete security coverage while breaking the security operational silos across the entire
­application lifecycle, allowing DevSecOps adoption and enhanced responsiveness to changing
the security needs of cloud native architectures.
For more information, check out paloaltonetworks.com/prisma/cloud.

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered t­ rademark of Palo Alto Networks. A
Santa Clara, CA 95054 list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html.
All other marks mentioned herein may be trademarks of their respective companies.
Main: +1.408.753.4000 prisma-cloud-complete-guide-kubernetes-ebook-093020
Sales: +1.866.320.4788
Support: +1.866.898.9087

www.paloaltonetworks.com