Kubernetes Version 1.23: What's New for Security?
Like clockwork, a new Kubernetes release is upon us, with loads of interesting new features. A couple of the key features in Kubernetes 1.23 are hitting the beta level and will be enabled by default. In this post, we’ll explain what they mean for security, both in terms of improving cluster security and what you need to account for as new clusters are rolled out with this version.
Support for ephemeral containers
One of the challenges of maintaining a containerized application has always been how you troubleshoot it. When trying to keep image sizes down, there’s pressure not to include many diagnostics tools in the images, but that can cause problems when troubleshooting production issues. Ephemeral containers aim to solve this problem by allowing temporary containers to be added to running pods to facilitate problem diagnosis and troubleshooting.
From a Kubernetes security standpoint, this has an immediate benefit. We can now slim down base container images that might in the past have needed tooling to be included. That reduces the attack surface and makes vulnerability management easier.
However, there’s some work to be done when implementing this feature. If a cluster uses admission controllers to manage the workload’s security, the policies used will need to be updated to include support for ephemeral containers. Otherwise, there’s a risk that the controls could be bypassed.
The reason is that ephemeral containers use a separate section inside the pod specification. Most admission controller rules are designed to look in the container and initContainer specifications for security configuration information, so they will need to be updated to include the ephemeralContainer section of the pod specification.
Windows HostProcess containers
Another feature that's hitting beta in version 1.23 is HostProcess containers for Windows. Adding this feature will enable several use cases in the Windows containers world, allowing for management of host resources from a container. HostProcess containers allow for access to the underlying host as privileged users such as NT AUTHORITY\SYSTEM.
But there are a couple of things to be aware of from a security standpoint. The first is that companies using Windows containers will need to ensure that rights to create privileged containers are carefully controlled. Previously, easy privilege-escalation routes from Windows containers to the underlying host were limited. But with this new feature, an attacker that can create a new Windows container may also be able to get wide access to the underlying host.
Another area where some security work may be required is similar to the ephemeral containers feature. Admission controllers used by Kubernetes clusters will need to be updated to account for this feature, as it doesn’t re-use existing settings like privileged, but instead uses a new hostProcess setting. More details are available in the Kubernetes documentation.
It’s also worth noting that for clusters that still use the deprecated Pod Security Policy feature, there is no direct support for limiting Windows HostProcess containers. At the moment, it may still be possible to control them indirectly by blocking other features required by HostProcess containers, such as host network access, but this isn’t a recommended long-term solution.
PodSecurity admission controller graduated to beta
With the deprecation of PodSecurityPolicy in Kubernetes 1.21, there has been a need for an in-tree replacement to supplement the external admission controller solutions that are available to help manage pod security.
This feature is focused on providing an easy-to-use pod security facility. It allows for cluster administrators to set one of the three pod security standard levels at a Kubernetes namespace level and should be a good match for simpler cluster configurations. It’s worth evaluating whether this is a good match for your requirements or if a more flexible solution is required.
As with every Kubernetes release, there are things you should consider from a security standpoint. While new improvements can help make your clusters more secure, it's important to think about updates to your policies and controls to make sure they take account of those new features.