Outshift | Kubernetes API Security - The Challenges & Best Practices

In a Kubernetes environment, the control pane core element is the API server. It’s an HTTP API that manages all communication between your application’s different parts, from cluster segments to external components and end-users. Kubernetes API also allows developers to query and modify Kubernetes API objects (i.e., Pods, Namespaces, ConfigMaps, Events, and more), so it’s critical to prevent any gaps in the API security.

CVE-2020-8559n Challenge to Kubernetes Security

The 2018 CVE-2020-8559, is a big and recent Kubernetes vulnerability that earned a worrisome 6.8 severity score (out of a maximum of 10) on the National Vulnerability Database. This high score stemmed from that CVE ability to enable a critical attack scenario:

Allowing attackers to intercept certain requests to the Kubelet, where they can cause the client to follow a redirect response. The client then, uses the credentials from the original request leading to other nodes being compromised.
Even if TLS for all API traffic was configured correctly, these allowed attackers to:
Inject malicious code into containers to access secrets, exfiltrate data, mine for cryptocurrencies, or more
Crash the entire cluster

In short, CVE-2020-8559n basically enabled any successful attacker to take full control of the targeted application.

9 Kubernetes API Security best practices

CVE-2018-1002105 demonstrates how crucial solid Kubernetes API security is. As the Kubernetes API server is the core of Kubernetes' control-pane, CVE-2018-1002105 effectively was a Kubernetes security risk affecting every single Kubernetes application. Here are 9 Kubernetes security best practices updated from the CNCF 2019 version to help you maintain your Kubernetes API security.

Systematically upgrade to the latest version as soon as possible New versions typically include security features in addition to bug fixes. Latest releases should always be run with the latest release to avoid falling behind with upgrades, as implementing upgrades becomes more complex when jumping up a few versions. In any case, upgrading to a new version on a quarterly basis is highly recommended to limit extended exposure to newly patched vulnerabilities.
Enable Role-Based Access Control (RBAC) Configure least-privilege access on all components with RBAC (enabled by default since v1.6 but needing granular configuration. Note: upgrade from prior versions requires disabling legacy Attribute-Based Access Control (ABAC).

Favor namespace-specific permission over cluster-wide permissions
Use kubectl get clusterrolebinding or kubectl get rolebinding -all-namespaces.
When granting access to the Kubernetes API, create service accounts individually with the narrowest possible set of permissions needed at each use site.
Set automountServiceAccountToken to false for applications that do not need access to the API.

Use namespaces to establish security boundaries Reduce risks of lateral escalation by isolating components by creating separate namespaces. In addition to increasing security, this will facilitate security control when configuring Network Policies. Use kubectl get ns to check for remaining default namespaces
Separate sensitive workloads Run sensitive workloads on a dedicated set of machines to reduce the risk of a breach through a less-secure application sharing a container runtime or host.
Prevent exposure of sensitive information through metadata Unrestricted access to information recorded in metadata, statistical reports, search indices, or other resources might be leveraged to extract original information or intuit some details.
Create and define cluster network policies Leverage Network Policies to control network access into and out of your containerized applications. When using a managed Kubernetes provider, ensure compatibility with their Network Policies and configure them granularly to eliminate unwanted default options.
Run a cluster-wide Pod Security Policy Configure Pod Security Policy admission controller to replace default values with least privileged access values to define how workloads are allowed to run in your cluster. Consider defining a policy and enabling the Pod Security Policy admission controller.
Harden node security To improve your nodes security posture:

Check your host configuration against CIS Benchmarks.
Secure Network Access to sensitive ports: block access from kubelet ports and limit access to Kubernetes API exclusively to trusted networks.
Restrict admin access to Kubernetes nodes.

Turn on audit logging Enable audit logs and check them for suspicious API calls.

Get in touch with Cisco Cloud Native Security Solution to secure your Kubernetes API and RBAC links.

CVE-2020-8559n Challenge to Kubernetes Security

National Vulnerability Database

Allowing attackers to intercept certain requests to the Kubelet, where they can cause the client to follow a redirect response. The client then, uses the credentials from the original request leading to other nodes being compromised.

Even if TLS for all API traffic was configured correctly, these allowed attackers to:

Inject malicious code into containers to access secrets, exfiltrate data, mine for cryptocurrencies, or more

Crash the entire cluster

9 Kubernetes API Security best practices

2019 version

Systematically upgrade to the latest version as soon as possible New versions typically include security features in addition to bug fixes. Latest releases should always be run with the latest release to avoid falling behind with upgrades, as implementing upgrades becomes more complex when jumping up a few versions. In any case, upgrading to a new version on a quarterly basis is highly recommended to limit extended exposure to newly patched vulnerabilities.

Enable Role-Based Access Control (RBAC) Configure least-privilege access on all components with RBAC (enabled by default since v1.6 but needing granular configuration. Note: upgrade from prior versions requires disabling legacy Attribute-Based Access Control (ABAC).

Favor namespace-specific permission over cluster-wide permissions

Use kubectl get clusterrolebinding or kubectl get rolebinding -all-namespaces.

When granting access to the Kubernetes API, create service accounts individually with the narrowest possible set of permissions needed at each use site.

Set automountServiceAccountToken to false for applications that do not need access to the API.

Use namespaces to establish security boundaries Reduce risks of lateral escalation by isolating components by creating separate namespaces. In addition to increasing security, this will facilitate security control when configuring Network Policies. Use kubectl get ns to check for remaining default namespaces

Separate sensitive workloads Run sensitive workloads on a dedicated set of machines to reduce the risk of a breach through a less-secure application sharing a container runtime or host.

Prevent exposure of sensitive information through metadata Unrestricted access to information recorded in metadata, statistical reports, search indices, or other resources might be leveraged to extract original information or intuit some details.

Create and define cluster network policies Leverage Network Policies to control network access into and out of your containerized applications. When using a managed Kubernetes provider, ensure compatibility with their Network Policies and configure them granularly to eliminate unwanted default options.

Run a cluster-wide Pod Security Policy Configure Pod Security Policy admission controller to replace default values with least privileged access values to define how workloads are allowed to run in your cluster. Consider defining a policy and enabling the Pod Security Policy admission controller.

Harden node security To improve your nodes security posture:

Check your host configuration against CIS Benchmarks.

Secure Network Access to sensitive ports: block access from kubelet ports and limit access to Kubernetes API exclusively to trusted networks.

Restrict admin access to Kubernetes nodes.

Turn on audit logging Enable audit logs and check them for suspicious API calls.

by

Alexei Kravtsov

Published on 02/20/2021

Last updated on 02/03/2025

Published on 02/20/2021

Last updated on 02/03/2025

Kubernetes API Security - The Challenges &amp; Best Practices

Get emerging insights on emerging technology straight to your inbox.

CVE-2020-8559n Challenge to Kubernetes Security

9 Kubernetes API Security best practices

Welcome to the future of agentic AI: The Internet of Agents

Published on 00/00/0000

Last updated on 00/00/0000

Published on 00/00/0000

Last updated on 00/00/0000

by

Alexei Kravtsov

Published on 02/20/2021

Last updated on 02/03/2025

Published on 02/20/2021

Last updated on 02/03/2025

Kubernetes API Security - The Challenges &amp; Best Practices

Get emerging insights on emerging technology straight to your inbox.

CVE-2020-8559n Challenge to Kubernetes Security

9 Kubernetes API Security best practices

Welcome to the future of agentic AI: The Internet of Agents

Related articles

Security

Kubernetes and multi-cloud security

Strategy & Insights

Accordion - A cloud native framework to enable fast SDLC for SaaS and on-prem projects

In-depth Tech

KubeClarity: Installation on AWS EKS

Apply

Connect

Blog

Categories

Tools

Resource Hub

Apps & Services

View all

Featured Apps

Next Gen Solutions

Kubernetes API Security - The Challenges & Best Practices

Kubernetes API Security - The Challenges & Best Practices