Kubernetes provides several built-in security capabilities, including network security, resource isolation, access control, and logging and auditing. One of the more recent security capabilities is a group of plugins known as admission controllers.
Admission controllers enable governance and enforcement of how clusters are used. Kubernetes ships with over 30 admission controllers, which are listed here along with their descriptions. This article assumes you have a basic understanding of admission controllers, but if you are unfamiliar with them, check out Kubernetes reference guide on admission controllers to learn more.
We’ve compiled 11 tips and recommendations to help you operationalize admission controllers for better security:
-
As a first step, enable admission controllers in order to use some of the more advanced security features of Kubernetes, such as pod security policies which enforce configuration baseline for an entire namespace.
-
To turn on an admission controller, use the following command line, replacing what appears after “=” with the name of the admission controller you want to turn on
--enable-admission-plugins=NameOfController,NameOfController2
- To turn off an admission controller, use the following command line, replacing what appears after “=” with the actual name of the admission controller you want to turn off
--disable-admission-plugins=NameOfController,NameOfController2
- Ensure that the following admission controllers are enabled by default:
NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,Priority,ResourceQuota,PodSecurityPolicy
-
In order to validate Kubernetes resources during create, update, and delete operations, enable
ValidatingAdmissionWebhook
-
Consider disabling the
MutatingAdmissionWebhook
admission controller or applying stricter RBAC restrictions as to who can createMutatingWebhookConfiguration
-
You can use
PodSecurityPolicy
admission controller to prevent containers from running as root or ensure the container’s root filesystem is always mounted as read-only. Keep in mind that unless a policy has already been defined in aPodSecurityPolicy
, pods will not be created because the admission controller’s default operation is to reject pod creation in cases where no matching policy is found. -
Create custom, webhook-based admission controllers to:
- Prevent pulling images from unknown registries while allowing only approved registry usage.
- Set policies that prevent insecure deployments. For example, containers using
privileged
flag increase your security risk because they can bypass a lot of security controls. You can avoid this risk by using a webhook-based admission controller that either rejects this type of deployment or overrides theprivileged
flag. - Enforce label validation on objects to ensure proper labels are used, such as every object being assigned to a team or project.
- Automatically add annotations to objects, such as attributing the correct cost center for a “dev” deployment resource.
-
Use admission controllers to audit the configuration of the objects in clusters to prevent insecure and misconfigured objects from getting into your cluster.
-
Admission controllers can be used to identify and correct images deployed without semantic tags by:
- Automatically adding or validating resource limits
- Ensuring reasonable labels are attached to pods
- Making sure image references in product deployments are not using
latest
tags, or tags with a-dev
suffix
- Use
AlwaysPullImages
admission controller to ensure pull policy is set to Always, such as when you want to make sure a user’s private images are only pulled by those who have the credentials to pull them. Without this admission controller, any pod from any user can use an image by merely knowing its name.
Admission controllers are one of the critical pillars of security for Kubernetes, and as a result, a Kubernetes API server that’s not utilizing the correct set of admission controllers will be incomplete and unable to support all of the expected features of Kubernetes.
執筆者紹介
類似検索
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit