Securing Kubernetes: Using Gatekeeper to enforce effective security policies

Containerization has become commonplace in the industry now that many organizations have decided to move away from monolithic architectures, with most people and teams being familiar with microservices architecture and having used it at some point.

Making the move to Kubernetes is often seen as a more significant step due to the differences in the complexity of learning. Unsurprisingly, with a steeper initial learning curve when using Kubernetes, there is less understanding of how to secure it against vulnerabilities and threats effectively. Difficulty is no reason to hold off, and not implementing procedures certainly doesn’t prevent any attacks from occurring. Yet, despite their importance, Kubernetes environments are prone to misconfigurations, exposing companies to security risks that can have far-reaching consequences.

This article aims to provide insights into making your Kubernetes infrastructure more secure by implementing effective security policies. It introduces tools like Gatekeeper and secure code learning platforms like SecureFlag, designed to reinforce your defense mechanisms against cyber threats. With the deprecation and removal of Pod Security Policies (PSP) in Kubernetes v1.25, there is a need for alternative enforcement strategies, and this post explores how to maximize the utility of new policy enforcement tools and techniques within your security framework.

SecureFlag Kubernetes featured image

Understanding Kubernetes Security Needs

Understanding some reasons for security needs in Kubernetes is fundamental for organizations to protect their infrastructure from potential risks. Here are the key points:

  • Resource Limits: Enforcing container limits is vital for maintaining system stability and mitigating the risks of disruptions or privilege escalation. Allowing some pods and containers to use more resources without controls means you could see downtime on some services due to a lack of available resources.

  • Policy Enforcement: With the deprecation of Pod Security Policies, alternatives like Gatekeeper are necessary for enforcing security best practices. Some examples of policies might be that images must be from approved repositories, ingress hostnames must be globally unique, pods must have resource limits, or namespaces must have a label to list a point of contact.

  • Common Security Issues: These can include compromised images and registries, unsecured default configurations, unauthorized access based on each user’s needs, and compliance challenges.

An Overview of Security Policy Enforcement Tools

When securing Kubernetes, there are a variety of security policy enforcement tools at your disposal:

  • Security Context Configuration: Defining a security context for pods and containers to set privileges and access control settings. These settings encompass a range of security measures, including Discretionary Access Control and Security Enhanced Linux, to name a few.

  • RBAC Authorization: Role-Based Access Controls (RBAC) are fundamental in regulating access based on organizational roles. By configuring policies dynamically via the Kubernetes API, RBAC authorization provides a flexible and secure access control mechanism.

  • Admission Controllers: To prevent misconfigurations, Kubernetes leverages Admission Controllers like Pod Security Standards and Open Policy Agent Gatekeeper. These tools operate on the Kubernetes API, ensuring that only compliant configurations are admitted into the cluster.

Introducing Gatekeeper

Gatekeeper operates through validating Admission Webhooks, which play a gatekeeping role by intercepting requests to the Kubernetes API server. These requests are then allowed or denied based on the outcome of policy evaluations, hence the name Gatekeeper.

Installation and Setup: To implement it, you must first install it in a Kubernetes environment. Then, Constraint Templates are created using the Rego policy language, which defines the policies that Gatekeeper will enforce. Below, we’ve listed some steps for doing this.

Policy Enforcement: Based on these templates, constraints are created, specifying the parameters that resources must meet to be considered compliant. This allows for the validation of policies against the defined rules.

Auditing Capabilities: Gatekeeper can also audit existing resources against the set policies, helping organizations assess their compliance and overall security posture.

Gatekeeper is an open-source, comprehensive policy controller for Kubernetes. The admission controller is integrated with the Open Policy Agent (OPA) Constraint Framework, which includes a policy library and native Kubernetes Custom Resource Definitions (CRDs). These tools extend the policy library and support additional functionalities such as mutation and audit (which we’ll not go into detail on in this post).

Enforcing Resource Limits with Gatekeeper

Enforcing resource limits within a Kubernetes cluster is a must for maintaining system stability and preventing individual pods from consuming excessive resources, which can lead to denial of service or other security issues. Gatekeeper, as an admissions controller, allows setting limits on resources and enables enforcing these resource constraints. Here’s how Gatekeeper facilitates the enforcement of resource limits:

  • Creating a ConstraintTemplate: With Gatekeeper, you define a ConstraintTemplate that outlines the rules for resource consumption based on the LimitRange object. This template utilizes Rego policy language, which is OPA’s native query language. Rego is declarative, which means it explicitly states the logic that should be enforced without describing the steps to perform that enforcement.

  • Applying a Constraint: This constraint binds the parameters to the policy, ensuring that any new or updated resources in the Kubernetes cluster adhere to the specified resource limits. It is through these constraints that Gatekeeper evaluates each request against the defined policies and only allows those that meet the established criteria.

This approach not only helps in preventing resource abuse but also aligns with best practices for maintaining a stable and secure container orchestration environment.

Step 1: Installation

First, ensure Gatekeeper is installed and running in your Kubernetes cluster. You can use a prebuilt image with the command:

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.15.0/deploy/gatekeeper.yaml

Or use the installation instructions in the official Gatekeeper documentation for a development image.

Step 2: Define a ConstraintTemplate

Create a ConstraintTemplate that defines the structure of the constraint and the logic (Rego policy) that enforces the resource limits. Here’s a simplified example:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sresourcelimits
spec:
  crd:
    spec:
      names:        
        kind: K8sResourceLimits
      validation:
        # Define the schema here
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sresourcelimits

        violation[{"msg": msg, "details": {"kind": "Pod", "name": input.review.object.metadata.name}}] {
          container := input.review.object.spec.containers[_]
          not container.resources.requests.cpu
          msg := "Missing CPU request"
        }
        # Add more logic here to enforce limits

This example starts a template that checks for CPU request specifications on Pods. You can expand this to include checks for CPU limits, memory requests, memory limits, etc., tailored to your needs.

Step 3: Apply a Constraint

Once your ConstraintTemplate is ready, define a constraint that specifies the actual limits and targets specific namespaces or the entire cluster. For instance:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sResourceLimits
metadata:
  name: pod-resource-limits
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    cpuLimit: "1"
    memoryLimit: "1Gi"
    # Define your parameters based on the ConstraintTemplate

Leveraging SecureFlag Labs for Policy Enforcement Learning

Incorporate hands-on training into the Software Development Lifecycle to encourage developers to build software with security in mind. SecureFlag offers training specifically tailored for real-world vulnerabilities and solutions. Our platform provides real-life labs working with Kubernetes, enabling developers to practice securing their environments through interactive exercises. Here’s how SecureFlag Labs enhances the security posture when securing Kubernetes:

  • Real-World Vulnerability Practice: Developers can engage with labs that simulate real-world scenarios, like ‘Broken Authentication’ vulnerabilities. Going beyond theory and allowing developers to understand the practical aspects of Kubernetes components and security configurations.
  • Integration into SDLC: SecureFlag can be embedded directly into the SDLC, promoting a culture of security awareness from the earliest stages of software development. This proactive measure helps to prevent vulnerabilities early, reducing the risk of security breaches.

Screenshot of a SecureFlag Kubernetes Lab with Gatekeeper

Using SecureFlag’s comprehensive training modules, organizations can ensure their development teams are prepared with the knowledge and skills to maintain a strong culture of security, contributing to the overarching goal of securing Kubernetes infrastructure.

Conclusion

Throughout this article, we’ve looked at some practices for securing Kubernetes infrastructure, emphasizing the significance of security policies in tackling potential vulnerabilities.

While strengthening Kubernetes security can seem daunting, it is a continuous process that integrates policy enforcement with the latest technological features. Developers and IT professionals looking to expand their knowledge and application of these principles can use SecureFlag Labs for practical, hands-on experiences to reinforce their cybersecurity skills.

Continue reading