TABLE OF CONTENT
1. Overview2. Amazon EKS Workflow3. AWS EKS Security4. Managing Authorization, Access Control, and Authentication5. Monitoring and Security of Amazon EKS Resources6. Amazon EKS Use Cases9. Conclusion10. CloudThat11. FAQs
Overview
Kubernetes security within EKS is AWS’ responsibility. This shared responsibility model splits the security aspect of AWS Security and Client side Security. Amazon Elastic Kubernetes Service can be used to run Kubernetes from AWS Kubernetes control plan or nodes. Kubernetes, an open-source software system that automates containerized applications’ deployment and scaling, as well as management, is available.
Amazon EKS can be integrated with other AWS services such as Amazon Elastic Container Registry, Elastic Load Balancing and IAM. It eliminates the need to deal with technical issues related to deployment, scaling, and management. Amazon EKS automatically controls Kubernetes control panels by focusing on the core functionality of the containerized application.
Amazon EKS Workflow
Amazon EKS manages the Kubernetes control plan and worker nodes for us. It is composed of two main components: a cluster consisting of ‘worker nodes’ that run on our containers and the control plan, which manages when and how our containers get started in our cluster and monitors their status.
We cannot run the Kubernetes control plane or the cluster of worker nosdes without Amazon EKS. Amazon EKS allows us to start our worker nodes with a single command from the EKS console. AWS provides high availability and security for provisioning, scaling, managing and managing Kubernetes’ control plane.
AWS EKS Security
Security is a shared responsibility between the cloud service provider (AWS) and the user. AWS is responsible to secure the cloud while users are responsible for security.
Managing Authorization, Authentication and Access Control for AWS EKS
a) Identity and Access Management in Amazon EKS:
There are many ways to authenticate requests to kube-apiserver, including Bearer Tokens and X.509 certificate, OIDC, and OIDC. EKS currently supports webhook token authentication and service token tokens.
Recommendations:
Avoid using service account tokens to authenticate
Always use the least privilege access to AWS Resources
When multiple users require the same access to the cluster, use IAM roles
When creating RoleBindings or ClusterRoleBindings, you should not be granted any privileges
Make the EKS Cluster EndPoint private
Create an EKS cluster and a dedicated IAM role
To make changes to the awsauth ConfigMap, use tools like eksctl
Cluster audits are conducted regularly
Alternative Methods for Access Management and Authentication
b) Pod Security
Node Authorization: All worker nos use a authorization technique called node authorization. It allows nodes perform the following actions:
Read:
Services
endpoints
Nodes
pods
secrets, configmap, persistent volumes
Write:
node and node status
Status of pod and pod
Auth-related operations:
read/write access to the CertificateSigningRequest API
Create TokenReview and SubAccessReview
Recommendations:
Multiple Pod Security Admission (PSA), modes can be combined to improve the user experience
Limit the number of containers that can be run as a privilege
Containers are not the best place to run processes.
Docker should never be run in Docker.
Limit the use of hostPath, or if hostPath is required, limit which prefixes may be used and make the volume read-only
To avoid resource contention and DoS attacks, set limits and requests for each container
Do not permit privileged escalation
Disable service discovery
Configure your images using a read-only root system
c) Amazon EKS infrastructure security:
Amazon EKS infrastructure is just as important as the security of the container image.
Recommendations