This topic provides an overview of the Alibaba Cloud standard of best practices for the security of Container Service for Kubernetes (ACK). Each of the following topics in this chapter provides an introduction to a category of security challenges and describes how to implement the best practices. Security engineers of enterprises can refer to topics in this chapter to meet their security requirements.

The following categories of security challenges are included:

Understand the shared responsibility model

In the managed cluster architecture of ACK, security compliance must follow the principle of shared responsibility. ACK is responsible for ensuring the security of the infrastructure resources on which ACK clusters are deployed and the security of control plane components, such as components on master nodes and etcd.

ACK is responsible for the implementation of security from various aspects, including access control, pod security, runtime security, and network security, based on the security capabilities provided by Kubernetes and Alibaba Cloud. ACK is responsible for patching security vulnerabilities related to the node OS and Kubernetes components based on the mitigation plans provided by Alibaba Cloud. You can refer to the topics in this chapter for recommendations on security reinforcement based on your business requirements.


Cloud service provider side

A cloud service provider must provide a cloud platform that has the security capabilities necessary for deploying infrastructure resources on which containerized applications can securely and stably run. In addition, a cloud service provider must provide measures to protect containers throughout the entire container lifecycle, including image building, application deployment, and runtime monitoring. The container security system must comply with the following basic principles:

  • Security of the infrastructure resources managed by the cloud container platform

    Business services run on the infrastructure resources that are managed by the cloud container platform. The cloud container platform must have the security capabilities necessary to ensure the security of infrastructure resources.

    • Comprehensive security capabilities of the platform: The security of infrastructure resources is the foundation of platform security. Alibaba Cloud provides security configurations for Virtual Private Cloud (VPC), access control for Server Load Balancer (SLB), and security features for DDoS mitigation. Alibaba Cloud also provides an account system to manage access to cloud resources.
    • Version updates and emergency response to vulnerabilities: Version updates and vulnerability patching for operating systems that run on VMs are also part of the basic security measures. Attackers can exploit vulnerabilities of other open source projects related to containerization, such as Kubernetes. The cloud service provider must develop an emergency response system for vulnerabilities of all severity levels and enable version upgrade for these open source projects.
    • Security compliance of the platform: The security compliance of the platform is the hard requirement for migrating the business of financial and public service sectors to the cloud. The cloud service provider must ensure security compliance based on the industrial standards, ensure the security of service and component configurations, and provide a comprehensive audit system for the platform and security auditors.
  • In-depth defense system for containerized applications

    In addition to setting up a comprehensive defense system on the control plane, the cloud service provider must provide in-depth security measures for applications throughout the entire lifecycle. Cloud-native computing is based on dynamic and elastic infrastructure resources, distributed application architectures, and advanced delivery and O&M methods. A cloud service provider must upgrade traditional security models to support cloud-native computing and develop a new security system for cloud-native computing.

Enterprise side

The security administrators and O&M engineers of an enterprise must understand the shared responsibility model and the responsibility boundary between the cloud service provider and the enterprise. The enterprise must assume its own security responsibilities. Cloud-native applications that are developed based on the microservice architecture use data centers and the cloud for deployment and communication. Traditional security boundaries no longer exist between networks. The network security system of enterprise applications must be developed based on the zero-trust security model. An access control system must be developed based on authentication and authorization. To reinforce application security in production environments throughout the entire application lifecycle, enterprise administrators must ensure security from the following aspects:

  • Ensure supply chain security for application artifacts

    With the development of cloud-native computing, an increasing number of large-scale containerized applications are deployed in the production environments of enterprises. A wide variety of cloud-native application artifacts, such as container images and Helm charts, are also used to deploy containerized applications. Supply chain security is the basic requirement for the security of enterprise applications in production environments. To achieve supply chain security, the enterprise must ensure the security of artifacts during the application building stage. In addition, the enterprise must develop access control, security scan, auditing, and admission mechanisms to detect security risks when artifacts are registered, distributed, and deployed.

  • Grant permissions and deliver credentials in compliance with the principle of least privilege

    An authorization approach that is based on a unified identity authentication system is the basis of an access control system that follows the zero-trust security model. Security administrators must manage access to cloud resources and containerized applications with strict adherence to the principle of least privilege. To do this, security administrators must combine the access control capabilities provided by cloud service providers and the account system of the enterprise. In addition, security administrators must set strict rules for approving the delivery of credentials. Security administrators must revoke credentials that may be exposed and exploited to escalate privileges at the earliest opportunity. Security administrators must reject the deployment of containers that are granted excessive permissions. This minimizes the chances of attacks.

  • Focus on data security and runtime security

    Security administrators must continue the security work after applications are deployed. To focus on the runtime security of applications, administrators must develop a comprehensive audit system for resource requests. In addition, security administrators must use the runtime monitoring system, runtime alerting system, and event notification system that are provided by cloud service providers. This way, security administrators can receive notifications of attacks and security risks in a timely manner. To ensure security for all classes of sensitive data, such as database passwords and private keys of certificates, security administrators must enforce key encryption and use the key management methods, disk encryption capabilities, and confidential computing features provided by cloud service providers. This secures data transfer and data storage.

  • Patch vulnerabilities and update components promptly

    Attackers can exploit vulnerabilities of operating systems that run on VMs, vulnerabilities of container images, and vulnerabilities of the container platform to intrude into applications. Therefore, security administrators and O&M engineers must fix vulnerabilities and update component versions, such as Kubernetes versions and image versions, based on the suggestions of cloud service providers. In addition, security training is required to improve the security awareness of employees.