❓Let start with the fundamental question why securing a container is challenging?
- The container’s lifespan is short. It may be difficult to do forensics, particularly if the compromised container is already replaced.
- Unlike a virtual machine where you are running the full operating system and virtualizing the x86 instruction sets, containers are processes running on a shared kernel.
- Isolation is implemented through Linux namespaces and cgroups. While these provide isolation between containers, they aren’t considered a strong security boundary. Hackers can escape these namespaces and can gain access to the underlying host. It’s important to implement safeguards to prevent it from happening.
- Many traditional and legacy security software(e.g., IDS/IPS, firewall)are not container aware.
⓵ Operating System: Deploy an operating system that is optimized for running containers. Some of the amazon offerings are Bottlerocket(read-only root filesystem, use of SELinux) and EKS Optimized Amazon Linux2.
② CIS Benchmarks: Use kube-bench to continuously align with security best practices and compliance requirements. It’s an open-source tool that evaluates your cluster against the CIS benchmark for Kubernetes. AWS creates its own CIS benchmark with specific considerations for EKS clusters. https://aws.amazon.com/blogs/containers/introducing-cis-amazon-eks-benchmark/
⓷ Minimize access to worker nodes: Using tools like System Manager, you should minimize access to worker nodes. Using SSM, you can control access via IAM and have an audit trail via Cloudtrail.
④ Deploy workers nodes on private subnets: Deploy your worker nodes in private subnets(there may be exceptions for that). This will reduce the attack vector, especially originates. If your cluster endpoint is public, you can restrict access to specific CIDR blocks.
⑤ Scan container Image for vulnerabilities: Elastic Container Registry(ECR) uses the open-source tool Clair to do that. You can scan images on push or on-demand in ECR. Other open-source alternatives are Trivy, Anchore, etc. Always start with a slim image like an alpine, so there is no extraneous binary in the image.
⑥ Lint your Dockerfile: Linting can be done to make sure your Dockerfile can adhere to predefined guidelines. This can be done as part of your CI/CD process, and you can use a tool like dockerfile_lint https://github.com/projectatomic/dockerfile_lint
⓻ Enable Control plane log: Enable control plane logging. This will send logs(API server, Audit, Authenticator, Controller manager, Scheduler)to the Cloudwatch logs.
⑧ Use IRSA to assign AWS Identities: When assigning identities to pods, you can use the IAM roles for Service Account(IRSA). This allows you to assign IAM roles to specific pods using annotation in the manifests or when the pod is configured with a Service Account that references an IAM Role.
⓽ Encrypt service-to-service traffic using mesh: You can use AWS App Mesh to encrypt service-to-service traffic. Mesh also provides other capabilities like better observability, circuit breaking, retries, etc. Alternatively, you can use CNI plugins like Weavenet or nitro instances(some encrypt network traffic by default using TLS).
⓵⓪ Pod and runtime security: Use OPA/Gatekeeper to implement runtime security measures such as Deny running as root, privilege escalation, dropping Linux capabilities, etc.