Why security in Kubernetes is not the same as in Linux: part 2


Kubernetes security might not be quite the same as what you’re used to. In our previous article, we explained why security is so important for both on-premises Linux servers and Cloud Kubernetes clusters. We also talked about 3 major aspects of Linux server security – process, network and file system – and how they correspond to Kubernetes. So today, we’ll talk more about Kubernetes-specific security issues.


When trying to secure your infrastructure, you need to start by setting it up right. For example, this may mean disabling all unused functionality or using permission policies wherever you can so that your files, executables, or network are only available to the intended entity. Linux servers and Kubernetes clusters have known vulnerabilities and recommendations.

One of the most famous of them is the Recommendations from the Center for Internet Security (CIS), which are often used for insurance compliance. Have a cloud security platform who can help implement these recommendations can be a great asset to your safety.

API server

The Kubernetes API Server is the administration panel, so to speak, of your cluster. In most deployments, this HTTP server is exposed to the Internet. This means that a hacker who finds their way to the API server can have full control over your cluster.

Using the strictest authentication and authorization settings is highly recommended to avoid this. If you can set your cluster to private, with access only allowed from an internal network, you can sleep well at night. And just like with configurations, you need to know at all times who (and what) can access which resources and operations in your cluster.

Audit log and other Kubernetes logs

In Kubernetes, there are additional attack vectors using the Kubernetes control plane itself that do not exist in Linux server security. For example, an attack can call the Kubernetes API to load a new pod you don’t want.

Kubernetes and cloud providers invest a lot of effort in preventing unauthorized users and machines from doing this. But there is always a risk that one of your employees will be hacked or that a misconfigured service account will have too much power. Kubernetes records all requests in its audit log so that they can be investigated later in the event of a breach. Additional logs include the kube-API log or the etcd (resource database) log.

Container execution

Running containers is also a unique aspect of Kubernetes security. In Kubernetes, each node is actually a virtual Linux server running a container runtime daemon. A container runtime is responsible for managing images, running and monitoring containers, storing them, and provisioning the network, etc. You may be familiar with Docker as a container runtime. Actually, Docker is a company that develops several container tools, and their container runtime environment is called containerd. Other container runtimes for Kubernetes include CRI-O, Rocket, etc.

Apart from a full Linux server or virtual machine that uses its own operating system, multiple containers typically run on multiple operating systems that share the same host kernel. Although container operating systems are minimal, they can still have security vulnerabilities. And the more holes, the better for the attacker! Monitoring container runtime activity can also provide a lot of information about what is happening in the node: what processes are running inside the container, any internal communication that may escape network monitoring , data collected and created, etc.

Good tools, less risk

Kubernetes’ unique interfaces and engines can be an additional exposed surface in terms of security, especially given the complexity of the system. However, remember that distribution and containerization increase security and help isolate potential malware.

Kubernetes may present a few new risks to watch out for, but that’s no reason to be afraid. As long as you know what to look for, securing your Kubernetes clusters doesn’t have to be any harder than it was for your Linux servers. And there’s no need to go it alone – not when you can have handy tools like InsightCloudSec, Rapid7’s cloud-native security platformby your side.

Further reading


Get the latest security stories, insights and news today.



Comments are closed.