Govur University Logo
--> --> --> -->
Govur University Logo
Sign In
...
Home All Courses Programming Courses Google Certified Professional Cloud Architect Flashcard

Explain the process of securing an application running on Google Kubernetes Engine (GKE), including network policies, pod security, and secrets management best practices.



Securing an application running on Google Kubernetes Engine (GKE) requires a multi-layered approach that encompasses network security, pod security, and secrets management. Here's a detailed explanation of the process, along with examples:

1. Network Policies:

Purpose: Network policies control how pods can communicate with each other and with other network endpoints. By default, all pods in a Kubernetes cluster can communicate freely. Network policies allow you to implement granular access controls to minimize the impact of a potential breach.

Implementation:

Enable Network Policy Enforcement: Enable network policy enforcement on the GKE cluster. This may require enabling network policy controller on GKE. This is a fundamental step that will enable network security policies on the cluster.
Define Network Policy Objects: Create NetworkPolicy objects using Kubernetes YAML manifests to specify which pods can communicate with other pods or namespaces. The policies should be specific and tailored to the application requirements.
Use Labels and Selectors: Utilize labels and selectors to define the pods that are targeted by the network policies. Labels are key-value pairs that can be used to group pods based on their function, environment, etc., and are essential for proper security policies.
Default Deny: Implement default deny policies, where all traffic is denied by default unless explicitly allowed by a network policy. This will prevent any traffic that is not explicitly allowed.
Namespace Isolation: Use network policies to isolate resources based on namespaces to enhance isolation. Use namespaces for different development environments to limit traffic between the development and production environments.
Example:
Consider a scenario with microservices. A "frontend" pod should only be able to communicate with an "api" pod and not directly with a "database" pod. The "database" pod should only allow traffic from the "api" pod. The network policy might look like this:
```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
spec:
podSelector:
matchLabels:
app: frontend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: api
```

2. Pod Security:

Purpose: Pod security controls the permissions and capabilities that a pod has. This limits what the pod can do if it is compromised.

Pod Security Admission (PSA): Use PSA to enforce pod security standards. It’s a Kubernetes feature that lets you apply security profiles (baseline, restricted) to namespaces and pods. The level of restriction will determine the security implications.

Restricted Profiles: Enforce restricted profiles in production environments which enforce stricter settings. These would limit a containers access to host resources and restrict the overall access of a compromised container.

Security Contexts: Use security contexts within the pod specification to control the security of a pod.
Set User and Group IDs: Run containers with a non-root user and group IDs using the `runAsUser`, `runAsGroup` securityContext settings. Avoid running containers with root privileges to reduce the risk of escalation.
Capabilities: Limit container capabilities with the `capabilities` settings to drop unnecessary capabilities. Drop capabilities like `NET_RAW` to prevent raw socket operations, which can be used for network scanning.
Read-Only Root Filesystem: Configure containers to use a read-only root file system using the `readOnlyRootFilesystem` setting to prevent modifying file contents by a compromised container.
Limit host access: Set `hostNetwork=false`, and `hostIPC=false`, to limit access to the host system’s network and IPC namespace.

Example:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 3000
containers:
- name: my-container
image: my-image
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
```

3. Secrets Management:

Purpose: Secrets such as API keys, passwords, and other sensitive data should not be stored directly in your container images or configuration files. Using a dedicated secret management service is critical for security.

Google Cloud Secret Manager: Use Google Cloud Secret Manager to store and manage secrets. Secret Manager integrates seamlessly with GKE and allows you to version secrets and control access to them.

Secret Access: Grant your applications and services the permission to access the required secrets, and do this using IAM with the principle of least privilege.
Do not Embed Secrets: Never embed secrets directly in your deployment manifests or image.
Secret Rotation: Implement automatic secret rotation to change keys periodically.
Kubernetes Secrets: Use Kubernetes Secrets to mount the secrets in the pods. Mount secrets as files or environment variables to avoid storing them as clear text in pod specs.
Example:

1. Store secrets in Cloud Secret Manager: Store a database password in Secret Manager.
2. Grant Access to Secret: Grant a service account used by a GKE application access to the secret.
3. Mount Secret in Pod: Use the Kubernetes secret object to mount the secret in the pod as a file.

```yaml
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
containers:
- name: my-container
image: my-image
volumeMounts:
- name: my-secret-volume
mountPath: /etc/secrets
volumes:
- name: my-secret-volume
secret:
secretName: my-database-credentials
```
Use Workload Identity: Use Workload Identity to grant Kubernetes service accounts access to Google Cloud resources, eliminating the need to use service account keys.

4. Additional Security Best Practices:

Regular Security Scans: Use container image scanning tools to scan images for vulnerabilities. These can be integrated in the CI/CD pipelines to catch vulnerabilities earlier.

RBAC: Use Role-Based Access Control (RBAC) to manage access to cluster resources. Implement the principle of least privilege when assigning roles.

Limit API access: Limit who has access to the Kubernetes API server using authorized IP address ranges.

Regular Updates: Keep GKE, Kubernetes, and container images updated to patch vulnerabilities. Regularly update GKE and the underlying operating system to get all relevant security patches and security fixes.

Network Segmentation: Use namespaces and network policies to isolate workloads. Limit network access across the cluster.

Monitoring and Logging: Use Cloud Monitoring and Logging to monitor the security of GKE applications, and to create alerts for any suspicious activities. Use audit logs to track user behavior and detect any misconfigurations.

In Summary:

Securing an application on GKE is a continuous process. It requires combining network policies, pod security, and secrets management practices. By focusing on least privilege, regular monitoring, vulnerability scanning, using a robust configuration of securityContexts and leveraging built-in security services from Google Cloud, one can drastically reduce the risks associated with running containerized workloads and provide a highly secure environment.