CyberArk Glossary >

Kubernetes

What is Kubernetes?

Kubernetes, also known as K8s, is a popular open-source container orchestration platform designed for cloud portability across hybrid and multi-cloud infrastructure.  Kubernetes automates many of the manual processes involved in deploying, managing and scaling containerized applications. Kubernetes is the defacto platform for multi-cloud and hybrid cloud deployments, as it allows development teams to build cloud portable apps with minimal refactoring between cloud providers or even on-prem. K8s contains basic secrets management functionality in Kubernetes secrets, with the ability to define secret objects, that are often not encrypted or rotated. A Kubernetes secret can be injected into a pod container either as an environment variable or a mounted file.  Kubernetes secrets are digital credentials used to provide identity authentication and authorize access to privileged accounts, applications and services. Examples include:

  • User or auto-generated passwords
  • API, GitHub tokens and other application keys/credentials
  • Hard-coded credentials in containerized applications
  • Secure shell (SSH) keys
  • Private certificates for secure communication, data transmitting and receiving, such as transport layer security (TLS) and secure sockets layer (SSL)
  • Private encryption keys for systems like pretty good privacy (PGP)
  • System-to-system passwords
  • One-time passwords for devices

There are two types of Kubernetes secrets including built-in and customized. Built-in Kubernetes secrets are automatically created by Kubernetes service accounts and attached to containers along with API credentials and customized Kubernetes secrets to enable you to define your sensitive data and create a custom Kubernetes secret to store it.

What are the benefits of Kubernetes?

Kubernetes enables developers to easily build containerized applications and services, as well as orchestrate, scale, schedule and monitor those containers and evolved as the preferred platform for building multiple-cloud, hybrid and platform independent/agnostic infrastructure for cloud portable apps to run on, providing enterprise flexibility and efficiency. Kubernetes facilitates running immutable infrastructure where containers can be destroyed, replaced and self-healed automatically. It helps reduce deployment friction as you declaratively describe the resources your containers and pods need and Kubernetes manages to deploy these resources. It also offers multiple options for using Kubernetes secrets such as the contents of files, environment variables or configuration files themselves, either in plain text or encoded.

  • Rollouts:  Enables you to initiate, pause, resume, or roll back rollouts.
  • Service discovery: Automatically expose a container to the internet or to other containers using a DNS name or IP address.
  • Storage provisioning:  In Kubernetes, volumes are the storage provisioning to mount persistent local or cloud storage for your containers as needed.
  • Load balancing: Load balancing distributes the workload across the network to maintain performance and stability.
  • Autoscaling: Autoscaling increases the new clusters as needed to handle the additional workload.
  • Self-healing for high availability: Kubernetes self-healing enables restarting or replacing the failed container automatically to prevent downtime. A web application and API protection (WAAP) solution enables this self-healing mechanism to ensure web applications or API services are always running during unexpected issues too.

Kubernetes vs Docker

Kubernetes and Docker are both important tools in the containerization ecosystem. Let’s look into the major differences between both:

Kubernetes Docker
Container orchestration tool Tool to deploy containers
Maintain and deploy multiple containers across multiple servers Automate the deployment of applications in lightweight containers
Open-source platform Standardize application operations which comes with an enterprise edition
Supports auto-scaling Does not support auto-scaling

 

Why Kubernetes Security is important?

Kubernetes security is known as the processes and principles to apply security practices in securing containers, configuring workloads, network security and securing your infrastructure. Kubernetes enables the configuration of many types of secret keys such as HTTP access keys, SSH access keys, cryptography keys and many more. When these keys are stored in Kubernetes, they are vulnerable to attackers who breach the network. The attackers gain a foothold in critical systems in resources and Kubernetes secrets can be leaked via logs, debug records and application code accessible to other developers or even through source code management tools like GitHub and GitLab. So, Kubernetes security is important during the container lifecycle due to the dynamic nature of a Kubernetes cluster. The development team can implement various steps to strengthen the security of their Kubernetes environment, such as:

  • Authenticate and authorize Kubernetes secrets to control an ideal location in the Kubernetes cluster.
  • The most secure way Kubernetes secrets can be configured, stored and managed for deployed pods.

What are the best practices for Kubernetes Secrets Management?

Kubernetes Secrets Management is important in securing non-human and machine access to containers within Kubernetes for cloud workloads. So, it is vital to secure containers within the Kubernetes environment. Securing containers using a centralized secrets management solution makes audit, access control and Kubernetes secrets management more manageable by giving organizations a centralized view of their overall Kubernetes security landscape. Implement Role-Based Access Control (RBAC) and Multi-factor Authentication, such as certificates. RBAC authorizes secret access based on a security policy detailing a role-based, time-based and task-based repository of access management. These best practices are useful to the DevOps team to maintain application security, including providing RBAC, granting required permissions only and rotating credentials, among many other precautions.

  • Set the experimental-encryption-provider-config flag on the Kubernetes API server.
  • Map out exactly which containers need access to each of your secrets.
  • Implement role-based access control (RBAC).
  • Delete Kubernetes secrets that are no longer needed and revoke access to the resources they provided.
  • Regularly audit critical systems access and rotate and change Kubernetes secrets regularly.
  • Log usage, including when a secret is injected, rotated or removed from a container.
  • Centralize secrets management to prevent creating “security islands” across multiple tools.

Learn more about Kubernetes

  1. Kubernetes Risks and What to Do About Them
  2. KubeCon 2023: Identity+ Security= A Whole New World
  3. Kubernetes Security: Best Practices for Kubernetes Secrets Management
  4. Securing Containers in a Kubernetes Environment