Documentation

Hardening Kubernetes Security

Kubernetes needs to be hardened as follows:

  • Enhance kube-apiserver.
    • Change the value of --profiling to false to prevent users from dynamically changing the kube-apiserver log level.
    • Modify or add the startup parameter --tls-cipher-suites and set its value as follows to avoid risks caused by insecure TLS cipher suites:
      --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • Modify or add the startup parameter --audit-policy-file and configure the Kubernetes audit policy. For details, see the official Kubernetes documentation.
  • Enhance kubelet.
    • To prevent a single pod from occupying too many processes, you can enable SupportPodPidsLimit and set --pod-max-pids. Add --feature-gates=SupportPodPidsLimit=true --pod-max-pids=<max pid number> to the KUBELET_KUBEADM_ARGS item in the kubelet configuration file. Restart the system for the modification to take effect. For details, see the official Kubernetes documentation.
    • Modify or add the startup parameter --tls-cipher-suites and set its value as follows to avoid risks caused by insecure TLS cipher suites:
      --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

      Kubernetes v1.19 and later versions support TLS v1.3 cipher suites. It is recommended that TLS v1.3 cipher suites be added when Kubernetes of a later version is used.

  • If the OS kernel version used by the Kubernetes cluster is 4.6 or later, manually enable AppArmor or SELinux after Kubernetes is installed.
  • For details about other security hardening items, see Security at the Kubernetes official website or other vendors' security hardening solutions.
  • Configure proper permissions for the upper-layer service platform in Kubernetes, for example, restrict the API groups that can be accessed by accounts, to prevent upper-layer services from operating unnecessary Kubernetes resources. For details, see the official Kubernetes documentation.
Parent topic: Security Hardening