You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Admission control](/docs/reference/access-authn-authz/admission-controllers/) is a key part of Kubernetes security, alongside authentication and authorization.
24
24
Webhook admission controllers are extensively used to help improve the security of Kubernetes clusters in a variety of ways including restricting the privileges of workloads and ensuring that images deployed to the cluster meet organization’s security requirements.
However, as with any additional component added to a cluster, security risks can present themselves.
27
32
A security risk example is if the deployment and management of the admission controller are not handled correctly. To help admission controller users and designers manage these risks appropriately,
28
33
the [security documentation](https://github.com/kubernetes/community/tree/master/sig-security#security-docs) subgroup of SIG Security has spent some time developing a [threat model for admission controllers](https://github.com/kubernetes/sig-security/tree/main/sig-security-docs/papers/admission-control).
29
34
This threat model looks at likely risks which may arise from the incorrect use of admission controllers, which could allow security policies to be bypassed, or even allow an attacker to get unauthorised access to the cluster.
30
-
31
-
From the threat model, we developed a set of security best practices that should be adopted to ensure that cluster operators can get the security benefits of admission controllers whilst avoiding any risks from using them.
From the threat model, we developed a set of security best practices that should be adopted to ensure that cluster operators can get the security benefits of admission controllers whilst avoiding any risks from using them.
## Admission controllers and good practices for security
48
-
49
-
From the threat model, a couple of themes emerged around how to ensure the security of admission controllers.
50
51
-->
51
-
52
52
## 准入控制器和安全的良好做法
53
53
54
-
从威胁模型中,围绕如何确保准入控制器的安全性出现了几个主题。
54
+
<!--
55
+
From the threat model, a couple of themes emerged around how to ensure the security of admission controllers.
56
+
-->
57
+
基于这个威胁模型,围绕着如何确保准入控制器的安全性出现了几个主题。
55
58
56
59
<!--
57
60
### Secure webhook configuration
61
+
-->
62
+
### 安全的 webhook 配置
58
63
64
+
<!--
59
65
It’s important to ensure that any security component in a cluster is well configured and admission controllers are no different here. There are a couple of security best practices to consider when using admission controllers
66
+
-->
67
+
确保集群中的任何安全组件都配置良好是很重要的,在这里准入控制器也并不例外。
68
+
使用准入控制器时需要考虑几个安全最佳实践:
60
69
70
+
<!--
61
71
* **Correctly configured TLS for all webhook traffic**. Communications between the API server and the admission controller webhook should be authenticated and encrypted to ensure that attackers who may be in a network position to view or modify this traffic cannot do so. To achieve this access the API server and webhook must be using certificates from a trusted certificate authority so that they can validate their mutual identities
62
-
* **Only authenticated access allowed**. If an attacker can send an admission controller large numbers of requests, they may be able to overwhelm the service causing it to fail. Ensuring all access requires strong authentication should mitigate that risk.
63
-
* **Admission controller fails closed**. This is a security practice that has a tradeoff, so whether a cluster operator wants to configure it will depend on the cluster’s threat model. If an admission controller fails closed, when the API server can’t get a response from it, all deployments will fail. This stops attackers bypassing the admission controller by disabling it, but, can disrupt the cluster’s operation. As clusters can have multiple webhooks, one approach to hit a middle ground might be to have critical controls on a fail closed setups and less critical controls allowed to fail open.
64
-
* **Regular reviews of webhook configuration**. Configuration mistakes can lead to security issues, so it’s important that the admission controller webhook configuration is checked to make sure the settings are correct. This kind of review could be done automatically by an Infrastructure As Code scanner or manually by an administrator.
65
72
-->
66
-
67
-
### 安全的 webhook 配置
68
-
69
-
确保集群中的任何安全组件都配置良好并且准入控制器在这里没有什么不同是很重要的。
70
-
使用准入控制器时需要考虑几个安全最佳实践
71
-
72
73
***为所有 webhook 流量正确配置了 TLS**。
73
-
API 服务器和准入控制器 webhook 之间的通信应该经过身份验证和加密,以确保处于网络中查看或修改此流量的攻击者无法查看或修改。
* **Only authenticated access allowed**. If an attacker can send an admission controller large numbers of requests, they may be able to overwhelm the service causing it to fail. Ensuring all access requires strong authentication should mitigate that risk.
78
+
-->
75
79
***只允许经过身份验证的访问**。
76
-
如果攻击者可以向准入控制器发送大量请求,他们可能会压倒服务导致其失败。
77
-
确保所有访问都需要强身份验证可以降低这种风险。
80
+
如果攻击者可以向准入控制器发送大量请求,他们可能会压垮服务导致其失败。
81
+
确保所有访问都需要强身份验证可以降低这种风险。
82
+
<!--
83
+
* **Admission controller fails closed**. This is a security practice that has a tradeoff, so whether a cluster operator wants to configure it will depend on the cluster’s threat model. If an admission controller fails closed, when the API server can’t get a response from it, all deployments will fail. This stops attackers bypassing the admission controller by disabling it, but, can disrupt the cluster’s operation. As clusters can have multiple webhooks, one approach to hit a middle ground might be to have critical controls on a fail closed setups and less critical controls allowed to fail open.
* **Regular reviews of webhook configuration**. Configuration mistakes can lead to security issues, so it’s important that the admission controller webhook configuration is checked to make sure the settings are correct. This kind of review could be done automatically by an Infrastructure As Code scanner or manually by an administrator.
93
+
-->
83
94
***定期审查 webhook 配置**。
84
-
配置错误可能导致安全问题,因此检查准入控制器 webhook 配置以确保设置正确非常重要。
85
-
这种审查可以由基础设施即代码扫描程序自动完成,也可以由管理员手动完成。
95
+
配置错误可能导致安全问题,因此检查准入控制器 webhook 配置以确保设置正确非常重要。
96
+
这种审查可以由基础设施即代码扫描程序自动完成,也可以由管理员手动完成。
86
97
87
98
<!--
88
99
### Secure cluster configuration for admission control
89
-
90
-
In most cases, the admission controller webhook used by a cluster will be installed as a workload in the cluster. As a result, it’s important to ensure that Kubernetes' security features that could impact its operation are well configured.
91
-
92
-
* **Restrict [RBAC](/docs/reference/access-authn-authz/rbac/) rights**. Any user who has rights which would allow them to modify the configuration of the webhook objects or the workload that the admission controller uses could disrupt its operation. So it’s important to make sure that only cluster administrators have those rights.
93
-
* **Prevent privileged workloads**. One of the realities of container systems is that if a workload is given certain privileges, it will be possible to break out to the underlying cluster node and impact other containers on that node. Where admission controller services run in the cluster they’re protecting, it’s important to ensure that any requirement for privileged workloads is carefully reviewed and restricted as much as possible.
94
-
* **Strictly control external system access**. As a security service in a cluster admission controller systems will have access to sensitive information like credentials. To reduce the risk of this information being sent outside the cluster, [network policies](/docs/concepts/services-networking/network-policies/) should be used to restrict the admission controller services access to external networks.
95
-
* **Each cluster has a dedicated webhook**. Whilst it may be possible to have admission controller webhooks that serve multiple clusters, there is a risk when using that model that an attack on the webhook service would have a larger impact where it’s shared. Also where multiple clusters use an admission controller there will be increased complexity and access requirements, making it harder to secure.
96
100
-->
97
-
98
101
### 准入控制的安全集群配置
99
102
103
+
<!--
104
+
In most cases, the admission controller webhook used by a cluster will be installed as a workload in the cluster. As a result, it’s important to ensure that Kubernetes' security features that could impact its operation are well configured.
105
+
-->
100
106
在大多数情况下,集群使用的准入控制器 webhook 将作为工作负载安装在集群中。
101
107
因此,确保正确配置了可能影响其操作的 Kubernetes 安全特性非常重要。
102
108
109
+
<!--
110
+
* **Restrict [RBAC](/docs/reference/access-authn-authz/rbac/) rights**. Any user who has rights which would allow them to modify the configuration of the webhook objects or the workload that the admission controller uses could disrupt its operation. So it’s important to make sure that only cluster administrators have those rights.
* **Prevent privileged workloads**. One of the realities of container systems is that if a workload is given certain privileges, it will be possible to break out to the underlying cluster node and impact other containers on that node. Where admission controller services run in the cluster they’re protecting, it’s important to ensure that any requirement for privileged workloads is carefully reviewed and restricted as much as possible.
117
+
-->
106
118
***防止特权工作负载**。
107
-
容器系统的一个现实是,如果工作负载被赋予某些特权,
108
-
则有可能突破到底层集群节点并影响该节点上的其他容器。
109
-
如果准入控制器服务在它们所保护的集群上运行,
110
-
一定要确保对特权工作负载的任何要求都要经过仔细审查并尽可能地加以限制。
119
+
容器系统的一个现实是,如果工作负载被赋予某些特权,
120
+
则有可能突破到底层集群节点并影响该节点上的其他容器。
121
+
如果准入控制器服务在它们所保护的集群上运行,
122
+
一定要确保对特权工作负载的任何要求都要经过仔细审查并尽可能地加以限制。
123
+
<!--
124
+
* **Strictly control external system access**. As a security service in a cluster admission controller systems will have access to sensitive information like credentials. To reduce the risk of this information being sent outside the cluster, [network policies](/docs/concepts/services-networking/network-policies/) should be used to restrict the admission controller services access to external networks.
* **Each cluster has a dedicated webhook**. Whilst it may be possible to have admission controller webhooks that serve multiple clusters, there is a risk when using that model that an attack on the webhook service would have a larger impact where it’s shared. Also where multiple clusters use an admission controller there will be increased complexity and access requirements, making it harder to secure.
133
+
-->
116
134
***每个集群都有一个专用的 webhook**。
117
-
虽然可能有服务于多个集群的准入控制器 webhook,
118
-
但在使用该模型时存在对 webhook 服务的攻击会对共享它的地方产生更大影响的风险。
119
-
此外,在多个集群使用准入控制器的情况下,复杂性和访问要求也会增加,从而更难保护其安全。
135
+
虽然可能有服务于多个集群的准入控制器 webhook,
136
+
但在使用该模型时存在对 webhook 服务的攻击会对共享它的地方产生更大影响的风险。
137
+
此外,在多个集群使用准入控制器的情况下,复杂性和访问要求也会增加,从而更难保护其安全。
120
138
121
139
<!--
122
140
### Admission controller rules
123
-
124
-
A key element of any admission controller used for Kubernetes security is the rulebase it uses. The rules need to be able to accurately meet their goals avoiding false positive and false negative results.
125
-
126
-
* **Regularly test and review rules**. Admission controller rules need to be tested to ensure their accuracy. They also need to be regularly reviewed as the Kubernetes API will change with each new version, and rules need to be assessed with each Kubernetes release to understand any changes that may be required to keep them up to date.
127
141
-->
128
-
129
142
### 准入控制器规则
130
143
144
+
<!--
145
+
A key element of any admission controller used for Kubernetes security is the rulebase it uses. The rules need to be able to accurately meet their goals avoiding false positive and false negative results.
146
+
-->
131
147
任何用于 Kubernetes 安全的准入控制器的一个关键元素是它使用的规则库。
132
148
规则需要能够准确地满足其目标,避免误报和误报结果。
133
149
150
+
<!--
151
+
* **Regularly test and review rules**. Admission controller rules need to be tested to ensure their accuracy. They also need to be regularly reviewed as the Kubernetes API will change with each new version, and rules need to be assessed with each Kubernetes release to understand any changes that may be required to keep them up to date.
0 commit comments