Kubernetes and Cloud Native Security Associate (KCSA)
Kubernetes Cluster Component Security
Securing Kube Proxy
Kube-proxy runs on every Kubernetes node, enforcing network rules that allow pods, services, and external clients to communicate. Securing kube-proxy is vital to safeguard your cluster against misconfigurations and attacks. In this guide, you’ll learn how to locate and lock down kube-proxy’s configuration, enforce encrypted communication, enable audit logging, and follow security best practices.
1. Locate the Kube-Proxy Process and Configuration
Identify the running kube-proxy and its config file:
joe@ubuntu:~$ ps -ef | grep kube-proxy
root 5351 5134 0 04:22 ? 00:00:04 /usr/local/bin/kube-proxy \
--config=/var/lib/kube-proxy/config.conf \
--hostname-override=controlplane --color=auto kube-proxy
The --config flag points to the primary configuration:
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
bindAddressHardFail: false
clientConnection:
acceptContentTypes: ""
burst: 0
contentType: ""
kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
qps: 0
clusterCIDR: 172.17.0.0/16
The kubeconfig entry specifies where kube-proxy retrieves its API credentials.
2. Secure the kubeconfig File
Protecting the kubeconfig file prevents unauthorized access to the API server.
2.1 Verify Permissions and Ownership
Use a table to validate file permissions and ownership:
| File | Permissions | Owner |
|---|---|---|
/var/lib/kube-proxy/config.conf | 644 | root:root |
/var/lib/kube-proxy/kubeconfig.conf | 600 (or 644) | root:root |
# Check permission
stat -c %a /var/lib/kube-proxy/kubeconfig.conf
# Check owner and group
stat -c %U:%G /var/lib/kube-proxy/kubeconfig.conf
Least Privilege
Always grant the minimum file permissions needed. Restrict write access to root (600) wherever possible.
3. Enforce TLS Encryption for API Connectivity
Open the kubeconfig to confirm TLS settings and service-account authentication:
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
server: https://controlplane:6443
name: default
contexts:
- context:
cluster: default
namespace: default
user: default
name: default
current-context: default
users:
- name: default
user:
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
certificate-authorityensures the API server’s certificate is validated.server: https://…enforces encrypted HTTPS connections.- Service-account
tokenFilegrants authenticated, RBAC-controlled access.
4. Enable Audit Logging
Audit logs help you monitor all kube-proxy actions and detect suspicious activity.
Create an audit policy (e.g.,
/etc/kubernetes/audit-policy.yaml):apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log all actions by kube-proxy - level: Metadata users: ["system:kube-proxy"] # Optionally monitor changes to core resources - level: Metadata resources: - group: "" resources: ["pods", "services", "endpoints"] # Skip logging for all other requests - level: NoneStream audit events to verify logs:
tail -f /var/log/audit/audit.log | jq .objectRef.resource
Audit Storage
Ensure sufficient disk space and retention policies for your audit logs to prevent data loss.
Summary of Best Practices
- Secure and limit access to
/var/lib/kube-proxy/config.confandkubeconfig.conf. - Enforce TLS and service-account authentication for API traffic.
- Run kube-proxy with least privilege.
- Apply NetworkPolicies to control pod-to-pod traffic.
- Enable logging and monitoring to detect anomalies.
- Keep kube-proxy updated with the latest security patches.
- Enable and review audit logs to track every kube-proxy action.
Further Reading and References
Watch Video
Watch video content