Cluster and application security

Familiarize yourself with Kubernetes security essentials and review the secure setup for clusters and application security guidance.

Plan, train, and proof

As you get started, the checklist and resources below will help you plan for cluster operations and security. You should be able answer these questions:

  • Have you reviewed the security and threat model of Kubernetes clusters?
  • Is your cluster enabled for Kubernetes role-based access control?
Checklist Resources
Familiarize yourself with the security essentials white paper. The primary goals of a secure Kubernetes environment are ensuring that the applications it runs are protected, that security issues can be identified and addressed quickly, and that future similar issues will be prevented. The definitive guide to securing Kubernetes (white paper)
Review the security hardening setup for the cluster nodes. A security hardened host OS reduces the surface area of attack and allows deploying containers securely. Security hardening in AKS virtual machine hosts
Setup cluster Kubernetes role-based access control (Kubernetes RBAC). This control mechanism lets you assign users, or groups of users, permission to do things like create or modify resources, or view logs from running application workloads. Understand Kubernetes role-based access control (Kubernetes RBAC) (video)
Integrate Azure AD with Azure Kubernetes Service
Limit access to cluster configuration file

Deploy to production and apply best practices

As you prepare the application for production, you should implement a minimum set of best practices. Use the following checklist at this stage. You should be able to answer these questions:

  • Have you configured network security rules for ingress, egress, and intra-pod communication?
  • Is your cluster configured to automatically apply node security updates?
  • Are you running a security scanning solution for your cluster and container workloads?
Checklist Resources
Control access to clusters using group membership. Configure Kubernetes role-based access control (Kubernetes RBAC) to limit access to cluster resources based on user identity or group membership. Control access to cluster resources using Kubernetes RBAC and Azure AD identities
Create a secrets management policy. Securely deploy and manage sensitive information, such as passwords and certificates, using secrets management in Kubernetes. Understand secrets management in Kubernetes (video)
Secure intra-pod network traffic with network policies. Apply the principle of least privilege to control network traffic flow between pods in the cluster. Secure intra-pod traffic with network policies
Restrict access to the API server using authorized IPs. Improve cluster security and minimize attack surface by limiting access to the API server to a limited set of IP address ranges. Secure access to the API server
Restrict cluster egress traffic. Learn what ports and addresses to allow if you restrict egress traffic for the cluster. You can use Azure Firewall or a third-party firewall appliance to secure your egress traffic and define these required ports and addresses. Control egress traffic for cluster nodes in AKS
Secure traffic with Web Application Firewall (WAF). Use Azure Application Gateway as an ingress controller for Kubernetes clusters. Configure Azure Application Gateway as an ingress controller
Apply security and kernel updates to worker nodes. Understand the AKS node update experience. To protect your clusters, security updates are automatically applied to Linux nodes in AKS. These updates include OS security fixes or kernel updates. Some of these updates require a node reboot to complete the process. Use kured to automatically reboot nodes to apply updates
Configure a container and cluster scanning solution. Scan containers pushed into Azure Container Registry and gain deeper visibility to your cluster nodes, cloud traffic, and security controls. Azure Container Registry integration with Security Center
Azure Kubernetes Service integration with Security Center

Optimize and scale

Now that the application is in production, how can you optimize your workflow and prepare your application and team to scale? Use the optimization and scaling checklist to prepare. You should be able to answer:

  • Can you enforce governance and cluster policies at scale?
Checklist Resources
Enforce cluster governance policies. Apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Control deployments with Azure Policy
Rotate cluster certificates periodically. Kubernetes uses certificates for authentication with many of its components. You may want to periodically rotate those certificates for security or policy reasons. Rotate certificates in Azure Kubernetes Service (AKS)