Documentation

Hardening Kubernetes Security

To ensure secure running of the environment, you are advised to control the login permission of the master node in a cluster based on services, and control the access permission of the Kubernetes private key file and authentication credentials stored in etcd. You are not advised to directly operate a Kubernetes cluster in the background.

Kubernetes needs to be hardened as follows:

  • kube-proxy enhancement:
    • Add --nodeport-addresses to the kube-proxy startup parameter.
    • For the installed Kubernetes system, modify the ConfigMap of kube-proxy.
      kubectl edit cm kube-proxy -n kube-system
    • Manually change the value of nodePortAddresses in the ConfigMap to the node IP address in CIDR format.
    • Manually change the value of healthzBindAddress in the ConfigMap to the node IP address in CIDR format.
    • The configuration takes effect after kube-proxy is restarted.
  • kube-apiserver enhancement:
    • Add the startup parameter --kubelet-certificate-authority to configure the path of the kubelet CA certificate, which is used to verify the validity of the kubelet server certificate.
    • Change the value of --profiling to false to prevent users from dynamically changing the kube-apiserver log level.
    • Modify or add the startup parameter --tls-cipher-suites and set its value as follows to avoid risks caused by insecure TLS cipher suites:
      --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • Modify or add the startup parameter --tls-min-version. For example, you can set --tls-min-version to VersionTLS13 to use TLS 1.3 for communication encryption during apiserver configuration.
    • Modify or add the startup parameter --audit-policy-file and configure the Kubernetes audit policy. For details, see the official Kubernetes documentation.
  • kube-controller enhancement:
    • Add -serviceaccount-token to the startup parameter --controllers to disable the default service account of the namespace. This prevents unnecessary service accounts from being generated in the mef-user and mef-center namespaces during MindEdge Framework installation and running.
  • kubelet enhancement:
    • To prevent a single pod from occupying too many processes, you can enable SupportPodPidsLimit and set --pod-max-pids. Add --feature-gates=SupportPodPidsLimit=true --pod-max-pids=<max pid number> to the KUBELET_KUBEADM_ARGS item in the kubelet configuration file. After the modification, restart the system for the modification to take effect. For details, see the official Kubernetes documentation.
    • Set the startup parameter --address or change the value of the address field in the startup configuration file to the host IP address.
    • Configure the startup parameter --tls-min-version or modify the tlsMinVersion field in the startup configuration file. An example value of tlsMinVersion is tlsMinVersion: VersionTLS13, indicating that TLS 1.3 is used to encrypt communication during kubelet configuration.
    • Modify or add the startup parameter --tls-cipher-suites and set its value as follows to avoid risks caused by insecure TLS cipher suites:
      --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

      Kubernetes v1.19 and later versions support TLS v1.3 cipher suites. It is recommended that TLS v1.3 cipher suites be added when Kubernetes of a later version is used.

  • If the OS kernel version used by the Kubernetes cluster is 4.6 or later, manually enable AppArmor or SELinux after Kubernetes is installed.
  • To make the bandwidth limit of the inference service pod take effect, install the bandwidth plugin in the CNI bin directory (/opt/cni/bin by default), modify the CNI configuration file (/etc/cni/net.d by default), and add bandwidth to plugins.
    ...
    {
      "type": "bandwidth",
      "capabilities": {"bandwidth": true}
    }
...
  • For details about other security hardening items, see Security at the Kubernetes official website or other vendors' security hardening solutions.
Parent topic: Security Hardening