The first Kubernetes release of 2023 is with us with the rollout of [v1.27][https://kubernetes.io/blog/2023/04/11/kubernetes-v1-27-release/]. As with all Kubernetes releases, this version introduces several new features and builds on existing ones, and some of these updates impact cluster security. In this post, we'll look at several of these changes and highlight what they mean for security across your Kubernetes environments.
Seccomp is one of the foundational layers of container security, allowing for fine-tuned control over which Linux syscalls are permitted within a container, in order to reduce the risk of container breakout attacks. While Docker applies a default seccomp filter that blocks a number of dangerous syscalls, Kubernetes has disabled this protection by default since the early days of the project in 2016.
Although it has been possible for developers to re-enable the filter for each container in their applications, this process can be laborious and time-consuming, and to enforce the policy at a cluster level, administrators would need to use external admission control software.
A new feature that reaches stable release in this version of Kubernetes allows cluster operators to enable a seccomp profile by default that applies to each workload on the node node, making it easier to apply a filter to every workload in a cluster. This update should improve security and reduce the burden of ensuring that seccomp filters are enabled on all workloads in the cluster.
Another new security feature that Kubernetes is releasing in alpha with version 1.27 is better support for user namespaces. User namespaces are a Linux feature that allows a process to operate as the
root user without actually having full access to the underlying host, which can be very useful for applications that expect to run as root.
Support for this feature in Kubernetes has been under development for some time, but the changes introduced in this version move it toward final release.
With a feature that is hitting alpha with 1.27, cluster operators can now easily access any system logs on cluster nodes via the Kubernetes API. This update helps improve cluster security by reducing the need to manually connect to cluster nodes via SSH. The feature provides access to logs held on Linux filesystems (in
/var/log), logs managed using journald, and standard system and security logs on Windows.
There is a possible security concern with this feature, however, as it may allow Kubernetes users to access files that they would not normally have. It will be important for cluster operators to appropriately restrict access to this new functionality.
The Kubernetes Blog has some notes on how to enable this feature for testing and evaluation.
One well-known peculiarity of Kubernetes is that users sometimes do not have a clear idea of what their identity is in the cluster, due to the relatively unique authentication process in Kubernetes. This setup can make it difficult to troubleshoot when users are having issues accessing clusters.
To address this problem, Kubernetes 1.27 introduces a new API endpoint that allows users to get information about the identity they have within the cluster. This will give users an easy way to identify themselves, which will help determine which role-based access control (RBAC) rules apply to them. The Kubernetes documentation has more information on how to make use of this feature.
Keeping track of vulnerabilities is a perennial problem for security staff. Kubernetes now provides a feed of all vulnerabilities that impact the platform, a welcome feature that has been in development for a while now.
With Kubernetes 1.27, the CVE feed has been updated to ensure it is fully compatible with the JSON specification. This allows users to easily parse the feed using any tooling that handles the JSON file format.
Kubernetes v1.27 contains the usual mix of new features and feature improvements that come with each release. For cluster operators and security engineers, it’s important to keep an eye on each new release for updates that will have an impact on cluster security. With this newest version of Kubernetes, the ability to enable seccomp by default, better support for user namespaces, access to node logs via kubectl, self user attributes, and an updated CVE feed can help teams more effectively secure their clusters.