Security of the Host
Even before we talk about the Pods, Images running within those pods or observability. Let's talk about securing the actual infrastructure.
When we talk about a self-managed or managed Kubernetes infrastructure like EKS, GKE. We know that the whole system has to run somewhere. In case of self-managed, it can be the VMs. In case of managed clusters, it will be EC2 instances or GCP VMs. Hence we need to secure the Host/VMs first where the Pods will run.
- Start by hardening the VM/Host/Node itself:
- The choice of the OS:
-
If you are GKE user, the recommended Node Operating system is Container-Optimized OS as they are optimised to enhance node security
-
Similarly if you have the choice to choose an OS, choose immutable Linux distribution. The goal is have an OS which has the latest Kernel, free from latest vulnerbilities or up to date technologies like eBPF.
-
Having an immutable system helps with security, the root filesystem will be locked and can not be changed by application/services running on these OSs. Even if someone escalates to the Host. This reduces the impact.
What is Immutable Linux OS? An OS which when once installed, the system files and directories can not be modified. Any updates or changes are made by creating a new instance of the OS. To know more about Immutable Linux OS, give this writeup a read by Adrian Hornby here. Some known Immutable Linux OS examples are:
- Flatcar Container Linux
- Bottlerocket
- Talos
- RacherOS
-
- The choice of the OS: