According to the Cloud Native Computing Foundation (CNCF) Cloud Native annual survey, security remains a top challenge in using and deploying workloads in Kubernetes. Oracle Container Engine for Kubernetes (OKE) provides you with secure and easy-to-use managed Kubernetes clusters. With OKE, you get the peace of mind to run mission-critical applications on Kubernetes, knowing that your clusters and applications are protected from malicious activity.

We’ve delivered multiple security-related features based on the requirements from our existing customers, from operating Oracle applications running on Kubernetes, and industry best practices. In this article, we provide you with nine OKE security enhancements delivered the past year.

1: Network security groups for your Kubernetes clusters

Only authorized individuals and systems can access your clusters. Controlling network access is the first line of defense against unauthorized actors. Kubernetes clusters managed by OKE have the following components that you directly interact with:

  • The Kubernetes API endpoint, the main entry point to deploy applications, check state, or perform other cluster operations

  • The worker nodes that run your containerized applications

  • The load balancers exposing your containerized applications

Each component requires specific network flows enabled by security rules. Let’s consider a typical Kubernetes cluster. The Kubernetes API endpoint is accessed by developers, administrators, or continuous integration and delivery (CI/CD) systems by HTTPS protocol. The administrator can access the cluster worker nodes by Secure Shell (SSH) for troubleshooting purposes. Finally, a broader audience, such as the internet, can access applications running in the cluster through an application-specific port and protocol.

Subnets are commonly created for each type of cluster component and assigned a security list containing the required security rules to each subnet. However, carving out multiple subnets and assigning security rules to each cluster represents considerable work for network administrators, who would rather manage fewer subnets and let the cluster administrator harden their clusters.

OKE supports network security groups (NSGs) for all cluster components. An NSG consists of a set of ingress and egress security rules that apply to virtual network interface cards (VNICs) in your virtual cloud network (VCN). You can now separate your VCN’s subnet architecture from your cluster components’ security requirements.

For example, you can have a single private subnet for the Kubernetes API endpoint and worker nodes, and a public subnet for the load balancers created by Kubernetes services. The access restriction and isolation are implemented by specific NSGs that apply to each cluster component at the VNIC level regardless of the subnet configuration.

2: Secure access to Kubernetes private clusters

Since early last year, OKE has offered fully private clusters. With these clusters, you can restrict access to the Kubernetes API endpoint to your on-premises network or a bastion host, improving your security posture. We found that configuring and managing a bastion host can be a burden, error-prone process, and a potential vector of attack. To easily access fully private clusters, you can now use Oracle Cloud Infrastructure (OCI) Bastion. OCI Bastion service is a fully managed service providing secure and ephemeral SSH access to the private resources in OCI. Like the bastion fortress of medieval times, the service improves security posture by providing an extra layer of defense against external threats. You can use OCI Bastion to gain restricted and time-limited secure access to your cluster’s Kubernetes API endpoint and worker nodes without any public endpoints.

3: Kubernetes RBAC configuration simplification using OCI IAM groups

When network access to your cluster is enabled, users need authentication and authorization to access the Kubernetes API endpoint of your cluster. To achieve these goals, OKE natively integrates the clusters with OCI Identity and Access Management (IAM) service. OCI IAM provides strong user authentication to access your clusters and provides you with authorization to use the OKE API, allowing you to define cluster administrators and cluster users.

Following the principle of least privilege, your users can only access the Kubernetes resources that they’re authorized to. Kubernetes role-based access control (RBAC) is aware of OCI user identities and can bind Kubernetes roles to OCI users. To streamline the configuration of Kubernetes RBAC, OKE added support for binding Kubernetes roles to OCI IAM groups. As a result, the Kubernetes RBAC configuration is greatly simplified. Moreover, you can apply the Kubernetes role definition and the binding to OCI groups across multiple clusters.

Let’s consider the example of a product inventory application. This application runs in the Kubernetes namespace “inventory.” An OCI group “inventory-app-admin” includes OCI users responsible for the lifecycle of the inventory application. A Kubernetes role allows full access to the namespace “inventory.” This role is bound to the OCI group “inventory-app-admin.” As a result, all users in the OCI group “inventory-app-admin” can create, delete any applications in the namespace “inventory,” but not in any other namespaces. Administrators can simply add or remove members to or from groups using the Oracle Cloud Console or API.

4: Multi-factor authentication for the Kubernetes API

The authentication of a user who makes Kubernetes API requests through the kubectl CLI relies on an RSA public key in PEM format (minimum 2,048 bits). While this authentication method is strong, you might want to add a second factor to complete the authentication. OKE supports OCI IAM multi-factor authentication (MFA). With MFA enabled in the IAM service, when a user connects to a cluster Kubernetes API, the RSA key is checked, which is the first factor. The user is then prompted to provide a second verification code from a registered MFA device, such as a phone, as the second factor. The two factors work together, offering an extra layer of security to verify the user’s identity and complete the authentication process.

5: Kubernetes data encryption

Oracle always encrypts block volumes, boot volumes, and volume backups at rest using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. All the data moving between Compute instances and storage is transferred over an internal and highly secure network. You might need to meet other compliance or security standards that require managing the lifecycle of the encryption keys on your own. OCI Vault offers keys in highly available and durable hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. Application data, secrets, and worker nodes boot volumes can be encrypted using your own encryption keys stored in OCI Vault.

Encryption of worker nodes boot volumes and persistent volumes on block storage

OKE now supports the encryption of worker nodes, boot volumes, and block volumes created when you define a persistent volumes claim (PVC) using your own encryption key from OCI Vault. Your data is encrypted at rest and in transit between the storage and your nodes, ensuring your data’s confidentiality and integrity.

Encryption of persistent volumes on file storage

With block storage, you can now create your PVCs on OCI File Storage and benefit from at-rest and in-transit encryption. OCI File Storage service offers more flexibility than block-level persistent volume allocations. Kubernetes pods can read and write on a filesystem concurrently. Like block volumes, OKE supports at-rest and in-transit encryption for PVC backed by OCI File Storage, ensuring that your data stays private and unmodified.

Kubernetes secrets encryption

Finally, Kubernetes secrets contain sensitive data such as credentials, tokens, or keys. Using secrets allows you to separate confidential data from your application code and container images. Secrets are stored in the etcd database of your cluster control plane, which is encrypted by default like all data in OCI. OKE supports the encryption of Kubernetes secrets using your encryption keys from OCI Vault, for which you manage the lifecycle. However, encryption keys aren’t everlasting, and the probability of a security breach increases the longer a key is in use. Now, OKE also supports the rotation of encryption keys to minimize their exposure of your secrets if a security breach occurs. Rotating keys regularly help meet industry standards and cryptographic best practices.

6: Lock down vulnerabilities and compromised container images

The next level of security applies to the containerized applications that you deploy. Your applications are the last vector of attack. You can ensure that bad actors are kept away from your container images. Last year, OKE announced support for container image scanning, signing, and verification. By adding a scanner to your container image, you ensure that your application images are free of serious vulnerabilities. Simply enable scanning on any image in your container registry.

Further, you can ensure that the integrity of the application images is preserved when it’s deployed by enforcing image signing. By allowing only signed images to be deployed in clusters, you protect your entire fleet of applications from malicious code that might be inserted in compromised images and have the confidence that what’s deployed are the same trusted images you previously signed.

7: Enable Kubernetes pod security context

You can configure Kubernetes pods with a security context that defines privilege and access control settings. Security contexts prevent escalation of privileges in the event your application is compromised. Some of the security contexts that Kubernetes supports require a specific operating system (OS) configuration on the worker nodes. For example, the assignment of SELinux labels to a pod container requires SELinux security module to be enabled on the worker nodes. To automate the OS configuration of your worker nodes, OKE now allows you to customize the worker nodes cloud-init script. Your worker nodes are now configured automatically according to your requirements, including enabling SELinux. You can also automate the configuration of other operating system settings, such as running the Center for Internet Security (CIS) hardening script.

8: Audit the Kubernetes activity

Monitoring the user and application activity on your Kubernetes cluster is important to detect any anomalous activity or security breaches. All Kubernetes Audit events are made available in the OCI Audit service. This service offers a consolidated view of all user activity across your applications on OCI. You can quickly identify security incidents, such as whether your cluster is under attack by observing successful and unsuccessful log-on attempts. Furthermore, you can easily correlate Kubernetes audit events to other audit events in your OCI tenancy, such as lifecycle updates to your clusters or any other resources.

9: Continuous security assessment and problem remediation

OKE is integrated with OCI security services like Cloud Guard and Security Zones to further help you improve your security posture. Oracle Cloud Guard provides you with a unified view of cloud security posture across your OCI tenancy. Cloud Guard detects misconfigured resources and insecure activity. For example, Cloud Guard automatically inspects the configuration of your VCN and alerts you when traffic is allowed to certain restricted ports. You can then triage and resolve security issues or remediate them with out-of-the-box security recipes. This process can help ensure that all your Kubernetes clusters and applications are configured according to security best practices.

Security best practices are at the heart of OKE

With OKE, your applications are safe from malicious activity thanks to multiple layers of defense. Learn more about the security-related features:

Get started with Oracle Cloud Infrastructure today with our Oracle Cloud Free Tier and get trained and certified on OCI.