Container Runtime Security

Protecting containers during execution:

Runtime Security Challenges:

  • Container escape vulnerabilities
  • Excessive privileges
  • Host resource access
  • Network exposure
  • Malicious processes
  • Configuration drift
  • Lateral movement

Container Runtime Protection:

  • Runtime vulnerability scanning
  • Behavioral monitoring
  • Anomaly detection
  • Process monitoring
  • File integrity monitoring
  • Network activity analysis
  • Resource usage monitoring

Example Security Context Configuration (Kubernetes):

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: app
    image: myapp:1.0.0
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
    volumeMounts:
    - name: tmp-volume
      mountPath: /tmp
  volumes:
  - name: tmp-volume
    emptyDir: {}

Container Isolation Techniques:

  • Linux namespaces
  • Control groups (cgroups)
  • Seccomp profiles
  • AppArmor profiles
  • SELinux policies
  • Capability restrictions
  • Read-only filesystems

Kubernetes Security

Cluster Security

Securing the Kubernetes control plane and nodes:

Kubernetes Architecture Security:

  • API server security
  • etcd security
  • Kubelet security
  • Controller manager security
  • Scheduler security
  • Node security
  • Network plugin security

Cluster Hardening Best Practices:

  • Use TLS for all components
  • Enable RBAC
  • Implement audit logging
  • Use Pod Security Standards
  • Secure etcd with encryption
  • Implement network policies
  • Regularly update Kubernetes version
  • Use separate control plane nodes

Example Kubernetes Audit Policy:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["pods"]

  # Log configmaps and secrets at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["secrets", "configmaps"]

  # Log all other requests at Metadata level
  - level: Metadata
    omitStages:
      - "RequestReceived"

Control Plane Protection:

  • Restrict API server access
  • Implement API server authentication
  • Use admission controllers
  • Secure etcd with encryption at rest
  • Implement network segmentation
  • Use secure TLS configuration
  • Regularly rotate certificates
  • Monitor control plane components

Workload Security

Protecting applications running in Kubernetes:

Pod Security Standards:

  • Privileged: No restrictions
  • Baseline: Prevents known privilege escalations
  • Restricted: Heavily restricted context

Example Pod Security Standard Implementation:

apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
  enforce: "baseline"
  enforce-version: "latest"
  audit: "restricted"
  audit-version: "latest"
  warn: "restricted"
  warn-version: "latest"
exemptions:
  usernames: []
  runtimeClasses: []
  namespaces: ["kube-system"]

Kubernetes RBAC:

  • Role-based access control
  • Principle of least privilege
  • Namespace isolation
  • Service accounts
  • Role bindings
  • Cluster roles
  • Cluster role bindings

Example RBAC Configuration:

# Create a role for pod viewing
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
# Bind the role to a user
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Kubernetes Network Policies:

  • Pod-level network segmentation
  • Namespace isolation
  • Ingress and egress rules
  • Protocol and port restrictions
  • CIDR-based rules
  • Pod selector rules
  • Default deny policies

Example Network Policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-network-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432

Kubernetes Secrets Management

Securing sensitive information in Kubernetes:

Kubernetes Secrets Challenges:

  • Base64 encoding (not encryption)
  • etcd storage security
  • Secret propagation
  • Pod access control
  • Secret rotation
  • Audit logging
  • Secret sprawl

Secret Management Best Practices:

  • Use external secret stores
  • Implement encryption at rest
  • Limit secret access with RBAC
  • Mount secrets as volumes
  • Implement secret rotation
  • Audit secret access
  • Use sealed secrets for GitOps

Example External Secrets Operator:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
spec:
  refreshInterval: "15m"
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: database-credentials
    creationPolicy: Owner
  data:
  - secretKey: username
    remoteRef:
      key: database/credentials
      property: username
  - secretKey: password
    remoteRef:
      key: database/credentials
      property: password

Continue Your Learning

This is part 2 of 4 in the comprehensive guide.

← Previous Introduction Guide Overview See all 4 parts Next → Advanced Patterns and Techniques