Kubernetes and Cloud Native Security Associate (KCSA)

Overview of Cloud Native Security

The 4Cs of Cloud Native Security

Protecting a Kubernetes-based voting application requires a multi-layered approach. In this guide, we’ll unpack the “4 C’s”—Cloud, Cluster, Container, and Code—to demonstrate how attackers exploit each layer and how you can shore up defenses across your entire stack.

Overview of Vulnerabilities and Mitigations

CFocus AreaCommon Attack VectorsKey Best Practices
CloudInfrastructureExposed management ports, overly permissive IAM rolesFirewalls, VPN/bastion, role audits
ClusterControl Plane & APIsPublic Docker API, unsecured Kubernetes API/DashboardSecure APIs, RBAC, OIDC/TLS, regular patching
ContainerWorkload IsolationUntrusted images, privileged containers, lax runtimeImage signing/scanning, PSP/PSA, seccomp, resource limits
CodeApplication & SecretsHard-coded credentials, plaintext env vars, no mTLSVault/K8s Secrets (encrypted), mutual TLS, code reviews

1. Cloud Security

Cloud security protects the environment that hosts your cluster—public cloud, private data center, or colocation. In our demo, an attacker gained access because SSH and API ports were open with no firewall rules.

  • Implement network firewalls or cloud security groups around SSH (22), Kubernetes API (6443), and other management ports.
  • Require VPN or bastion host access for all administrative connections.
  • Audit IAM roles and permissions monthly; follow the principle of least privilege.

Note

Regularly review firewall rules and security group configurations to prevent unintended exposure.


2. Cluster Security

The control plane is the heart of Kubernetes. In our breach scenario, the Docker remote API, Kubernetes API server, and Dashboard were exposed without auth.

  • Restrict or disable the Docker remote API (–host=unix:///var/run/docker.sock only).
  • Enable RBAC for the API server and Dashboard; define granular roles.
  • Use OIDC, service accounts, or TLS client certificates for authentication.
  • Keep control plane components and etcd up to date with patches.

Warning

Disabling the Docker remote API can impact automation scripts. Validate your CI/CD pipelines before rolling this out in production.


3. Container Security

Containers should run with the least privilege and only use trusted images. In our example, the attacker pulled arbitrary images, ran them in privileged mode, and installed malicious software.

  • Enforce image signing and vulnerability scanning; whitelist approved registries.
  • Block privileged containers by default with Pod Security Policies (PSP) or Pod Security Admission (PSA).
  • Leverage runtimes that support user namespaces, seccomp, and AppArmor profiles.
  • Set CPU, memory limits and use read-only root filesystems.

Note

Pod Security Admission (PSA) is the replacement for PSP in newer Kubernetes versions. Ensure you migrate policies accordingly.


4. Code Security

Application-level flaws—like hard-coded secrets, plaintext environment variables, and missing TLS—open doors to attackers.

  • Store and manage secrets with tools such as HashiCorp Vault or Kubernetes Secrets, enabling encryption at rest.
  • Implement mutual TLS (mTLS) for service-to-service communication inside the cluster.
  • Conduct regular code reviews and static analysis to catch vulnerabilities early.

The image illustrates the "4 C's of Cloud Native Security," which include Code, Container, Cluster, and Cloud, each with specific security practices and components.

Watch Video

Watch video content

Previous
The Attack