# Security > 🛡️ **Keamanan Production**: Panduan komprehensif untuk mengamankan Kubernetes cluster dan aplikasi. *** ## 📋 **Daftar Isi** ### **🔐 Security Fundamentals** * [Principle of Least Privilege](#principle-of-least-privilege) * [Defense in Depth](#defense-in-depth) * [Zero Trust Architecture](#zero-trust-architecture) * [Compliance & Auditing](#compliance--auditing) ### **👥 RBAC & IAM** * [Role-Based Access Control](#role-based-access-control-rbac) * [Service Accounts](#service-accounts) * [Pod Security Policies](#pod-security-policies) * [API Server Security](#api-server-security) ### **🔑 Secrets Management** * [Kubernetes Secrets](#kubernetes-secrets) * [External Secret Stores](#external-secret-stores) * [Secret Encryption](#secret-encryption) * [Secret Rotation](#secret-rotation) ### **🌐 Network Security** * [Network Policies](#network-policies) * [Service Mesh Security](#service-mesh-security) * [Ingress Security](#ingress-security) * [CNI Security](#cni-security) ### **🛡️ Container Security** * [Image Security](#image-security) * [Runtime Security](#runtime-security) * [Container Runtime Interface (CRI)](#container-runtime-interface-cri) * [Vulnerability Scanning](#vulnerability-scanning) ### **🔍 Security Tools & Monitoring** * [Security Auditing](#security-auditing) * [Intrusion Detection](#intrusion-detection) * [Security Monitoring](#security-monitoring) * [Compliance Tools](#compliance-tools) *** ## 🔐 **Security Fundamentals** ### Principle of Least Privilege **📖 Konsep Dasar** Setiap user, service, atau pod hanya mendapatkan akses minimum yang diperlukan untuk menjalankan tugasnya. **🎯 Implementasi** ```yaml # Example: Minimal RBAC permissions apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: production name: app-deployer rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] ``` **🔧 Best Practices** * Gunakan specific verbs instead of wildcard (`*`) * Limit scope ke namespace tertentu * Review permissions secara berkala * Implement time-bound access ### Defense in Depth **🛡️ Multi-Layer Security** ```yaml # Layer 1: Network Security apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress # Layer 2: Pod Security apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 containers: - name: app image: nginx:alpine securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL ``` ### Zero Trust Architecture **🚫 Never Trust, Always Verify** ```yaml # Zero Trust Network Policy apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: zero-trust spec: podSelector: matchLabels: app: sensitive-app policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: app: trusted-service ports: - protocol: TCP port: 8080 egress: - to: - podSelector: matchLabels: app: database ports: - protocol: TCP port: 5432 ``` ### Compliance & Auditing **📊 Audit Policy Configuration** ```yaml # audit-policy.yaml apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata namespaces: ["kube-system", "default", "production"] resources: - group: "" resources: ["secrets", "configmaps", "pods"] - group: "rbac.authorization.k8s.io" resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] - level: Request resources: - group: "" resources: ["events"] namespaces: ["*"] ``` **⚙️ Enable Audit Logging** ```bash # API Server with audit logging kube-apiserver \ --audit-policy-file=/etc/kubernetes/audit-policy.yaml \ --audit-log-path=/var/log/kubernetes/audit.log \ --audit-log-maxage=30 \ --audit-log-maxbackup=10 \ --audit-log-maxsize=100 ``` *** ## 👥 **RBAC & IAM** ### Role-Based Access Control (RBAC) **🎯 RBAC Components** ```yaml # Role (namespace-scoped) apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: production name: developer rules: - apiGroups: ["", "apps", "batch"] resources: ["pods", "deployments", "jobs"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # ClusterRole (cluster-scoped) apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-admin rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] # RoleBinding apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: developer-binding namespace: production subjects: - kind: User name: "developer@example.com" apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: developer apiGroup: rbac.authorization.k8s.io ``` **🔧 Common RBAC Patterns** ```yaml # Read-only access apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: readonly rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list", "watch"] # Deployment manager apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: deployment-manager rules: - apiGroups: ["apps"] resources: ["deployments", "replicasets"] verbs: ["*"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] # Service account access apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: service-account-access rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] ``` ### Service Accounts **🔑 Service Account Configuration** ```yaml # Service Account apiVersion: v1 kind: ServiceAccount metadata: name: app-service-account namespace: production automountServiceAccountToken: false # Pod with service account apiVersion: v1 kind: Pod metadata: name: secure-pod namespace: production spec: serviceAccountName: app-service-account containers: - name: app image: nginx ``` **🔐 Service Account with Permissions** ```yaml # Role for service account apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-role namespace: production rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list"] # Bind role to service account apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-binding namespace: production subjects: - kind: ServiceAccount name: app-service-account namespace: production roleRef: kind: Role name: app-role apiGroup: rbac.authorization.k8s.io ``` ### Pod Security Policies **🛡️ Pod Security Standards** ```yaml # Restricted Pod Security Standard apiVersion: v1 kind: Pod metadata: name: restricted-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: - name: app image: nginx:alpine securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000 ``` **⚙️ Pod Security Admission** ```yaml # Apply pod security standards at namespace level apiVersion: v1 kind: Namespace metadata: name: secure-namespace labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted ``` ### API Server Security **🔒 API Server Hardening** ```bash # Secure API Server configuration kube-apiserver \ --authorization-mode=Node,RBAC \ --enable-admission-plugins=NodeRestriction,PodSecurityPolicy \ --allow-privileged=false \ --anonymous-auth=false \ --enable-bootstrap-token-auth=true \ --token-auth-file=/etc/kubernetes/token.csv \ --service-account-key-file=/etc/kubernetes/sa.key \ --service-account-lookup=true \ --service-account-issuer=kubernetes.default.svc.cluster.local \ --service-account-signing-key-file=/etc/kubernetes/sa.key \ --audit-policy-file=/etc/kubernetes/audit-policy.yaml \ --audit-log-path=/var/log/kubernetes/audit.log ``` *** ## 🔑 **Secrets Management** ### Kubernetes Secrets **🔑 Basic Secret Usage** ```yaml # Create secret from literals apiVersion: v1 kind: Secret metadata: name: app-secret namespace: production type: Opaque data: username: YWRtaW4= # admin (base64) password: MWYyZDFlMmU2N2Rm # 1f2d1e2e67df (base64) # Secret for database credentials apiVersion: v1 kind: Secret metadata: name: db-secret type: Opaque stringData: host: "db.production.svc.cluster.local" username: "app_user" password: "secure_password_123" ``` **🔧 Secret in Pod** ```yaml apiVersion: v1 kind: Pod metadata: name: app-with-secret spec: containers: - name: app image: myapp:latest env: - name: DB_HOST valueFrom: secretKeyRef: name: db-secret key: host - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password volumeMounts: - name: secret-volume mountPath: /etc/secrets readOnly: true volumes: - name: secret-volume secret: secretName: app-secret ``` ### External Secret Stores **🔐 HashiCorp Vault Integration** ```yaml # Vault injector configuration apiVersion: v1 kind: ServiceAccount metadata: name: vault-injector namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: vault-injector-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: vault-injector namespace: default # Pod with Vault secrets apiVersion: v1 kind: Pod metadata: name: app-with-vault annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "app-role" vault.hashicorp.com/agent-inject-secret-db-creds: "secret/data/app/db" vault.hashicorp.com/agent-inject-template-db-creds: | {{- with secret "secret/data/app/db" -}} export DB_HOST="{{ .Data.data.host }}" export DB_USERNAME="{{ .Data.data.username }}" export DB_PASSWORD="{{ .Data.data.password }}" {{- end }} spec: serviceAccountName: vault-injector containers: - name: app image: myapp:latest command: ["/bin/sh", "-c"] args: - source /vault/secrets/db-creds && ./run-app.sh ``` **🔧 AWS Secrets Manager** ```yaml # External secret with AWS Secrets Manager apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: aws-store spec: provider: aws: service: SecretsManager region: us-west-2 auth: jwt: serviceAccountRef: name: eso-service-account --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: app-external-secret spec: refreshInterval: 1h secretStoreRef: name: aws-store kind: SecretStore target: name: app-secret creationPolicy: Owner data: - secretKey: db_password remoteRef: key: prod/app/database property: password ``` ### Secret Encryption **🔐 Enable Encryption at Rest** ```yaml # encryption-config.yaml apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: - identity: {} ``` **⚙️ Configure API Server with Encryption** ```bash # Start API Server with encryption kube-apiserver \ --encryption-provider-config=/etc/kubernetes/encryption-config.yaml \ --experimental-encryption-provider-config=/etc/kubernetes/encryption-config.yaml ``` ### Secret Rotation **🔄 Manual Secret Rotation** ```bash # Create new secret kubectl create secret generic new-app-secret \ --from-literal=password=new_secure_password # Update deployment to use new secret kubectl patch deployment app-deployment \ -p '{"spec":{"template":{"spec":{"containers":[{"name":"app","env":[{"name":"APP_PASSWORD","valueFrom":{"secretKeyRef":{"name":"new-app-secret","key":"password"}}}]}]}}}}' # Verify and delete old secret kubectl get pods -l app=myapp kubectl delete secret old-app-secret ``` **🔧 Automated Secret Rotation with External Secrets** ```yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: rotating-secret spec: refreshInterval: 5m # Check every 5 minutes secretStoreRef: name: vault-store kind: SecretStore target: name: app-secret creationPolicy: Owner data: - secretKey: api_key remoteRef: key: secret/data/app/api property: key ``` *** ## 🌐 **Network Security** ### Network Policies **🛡️ Default Deny All** ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: production spec: podSelector: {} policyTypes: - Ingress - Egress ``` **🔧 Allow Specific Traffic** ```yaml # Allow DNS traffic apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns namespace: production spec: podSelector: {} policyTypes: - Egress egress: - to: [] ports: - protocol: UDP port: 53 - protocol: TCP port: 53 # Allow traffic to external services apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-external-https namespace: production spec: podSelector: matchLabels: app: web-app policyTypes: - Egress egress: - to: [] ports: - protocol: TCP port: 443 ``` ### Service Mesh Security **🔐 Istio Security Configuration** ```yaml # Authorization policy apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: app-authz namespace: production spec: selector: matchLabels: app: secure-app rules: - from: - source: principals: ["cluster.local/ns/production/sa/frontend-sa"] - to: - operation: methods: ["GET", "POST"] # Peer authentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: production spec: mtls: mode: STRICT ``` ### Ingress Security **🔒 Secure Ingress Configuration** ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secure-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/limit-connections: "100" nginx.ingress.kubernetes.io/limit-rps: "50" cert-manager.io/cluster-issuer: "letsencrypt-prod" nginx.ingress.kubernetes.io/enable-modsecurity: "true" nginx.ingress.kubernetes.io/modsecurity-snippet: | SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off spec: tls: - hosts: - secure.example.com secretName: secure-tls rules: - host: secure.example.com http: paths: - path: / pathType: Prefix backend: service: name: secure-service port: number: 443 ``` ### CNI Security **🔧 Calico Network Security** ```yaml # Calico network policy apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: secure-app-policy namespace: production spec: selector: app == 'secure-app' ingress: - action: Allow protocol: TCP source: selector: app == 'frontend' destination: ports: - 8080 egress: - action: Allow protocol: TCP destination: selector: app == 'database' ports: - 5432 - action: Deny protocol: TCP destination: notSelector: app == 'trusted-app' ports: - 0:65535 ``` *** ## 🛡️ **Container Security** ### Image Security **🔒 Secure Image Configuration** ```dockerfile # Use minimal base image FROM alpine:3.18 # Create non-root user RUN addgroup -g 1001 -S appgroup && \ adduser -u 1001 -S appuser -G appgroup # Set working directory WORKDIR /app # Copy and set permissions COPY --chown=appuser:appgroup . . RUN chmod +x /app/start.sh # Switch to non-root user USER appuser # Health check HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD curl -f http://localhost:8080/health || exit 1 # Set entrypoint ENTRYPOINT ["/app/start.sh"] ``` **🔧 Image Security Scanning** ```bash # Trivy image scan trivy image myapp:latest # Clair image scan clairctl analyze myapp:latest # Docker security scan docker scan myapp:latest ``` ### Runtime Security **🛡️ Falco Runtime Security** ```yaml # Falco rules apiVersion: v1 kind: ConfigMap metadata: name: falco-rules data: rules.yaml: | - rule: Shell in container desc: A shell was spawned in a container condition: > spawned_process and container and shell_procs and not proc.name in (bash, sh) output: > Shell spawned in container (user=%user.name container=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline) priority: WARNING tags: [container, shell] - rule: Unexpected file access desc: Unexpected file access in container condition: > open_read and container and fd.name contains /etc/shadow output: > Access to sensitive file (user=%user.name container=%container.name file=%fd.name) priority: CRITICAL tags: [container, filesystem] ``` ### Container Runtime Interface (CRI) **🔧 Secure Container Runtime Configuration** ```yaml # containerd config version = 2 [plugins] [plugins."io.containerd.grpc.v1.cri"] [plugins."io.containerd.grpc.v1.cri".containerd] [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] runtime_type = "io.containerd.runc.v2" [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options] SystemdCgroup = true [plugins."io.containerd.grpc.v1.cri".security] seccomp_default = true no_new_privileges = true ``` ### Vulnerability Scanning **🔍 Automated Vulnerability Scanning** ```yaml # Trivy scanner as admission controller apiVersion: v1 kind: ServiceAccount metadata: name: trivy-admission --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: trivy-admission rules: - apiGroups: [""] resources: ["pods"] verbs: ["create", "get", "list", "watch"] - apiGroups: ["admission.k8s.io"] resources: ["admissionreview"] verbs: ["create"] --- apiVersion: apps/v1 kind: Deployment metadata: name: trivy-admission spec: replicas: 2 selector: matchLabels: app: trivy-admission template: metadata: labels: app: trivy-admission spec: serviceAccountName: trivy-admission containers: - name: trivy image: aquasec/trivy:latest command: ["/usr/local/bin/trivy"] args: ["admission"] ``` *** ## 🔍 **Security Tools & Monitoring** ### Security Auditing **📊 Audit Logging Configuration** ```yaml apiVersion: v1 kind: ConfigMap metadata: name: audit-config namespace: kube-system data: policy.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata namespaces: ["production"] resources: - group: "" resources: ["secrets"] - level: Request resources: - group: "rbac.authorization.k8s.io" resources: ["rolebindings", "clusterrolebindings"] ``` ### Intrusion Detection **🚨 Falco Deployment** ```yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: falco namespace: falco spec: selector: matchLabels: app: falco template: metadata: labels: app: falco spec: serviceAccountName: falco hostNetwork: true hostPID: true hostIPC: true containers: - name: falco image: falcosecurity/falco:latest securityContext: privileged: true volumeMounts: - name: dev mountPath: /host/dev - name: proc mountPath: /host/proc - name: boot mountPath: /host/boot volumes: - name: dev hostPath: path: /dev - name: proc hostPath: path: /proc - name: boot hostPath: path: /boot ``` ### Security Monitoring **📈 Prometheus Security Metrics** ```yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: falco-metrics namespace: monitoring spec: selector: matchLabels: app: falco endpoints: - port: metrics interval: 30s ``` ### Compliance Tools **✅ Open Policy Gatekeeper** ```yaml # Install Gatekeeper kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.12.0/deploy/gatekeeper.yaml # Policy as Code apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg}] { required := input.parameters.labels provided := input.review.object.metadata.labels missing := {label | required[label]} count(missing) > 0 msg := sprintf("Missing required labels: %v", [missing]) } --- apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: must-have-gk-owner spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: labels: ["owner", "environment"] ``` *** ## 🎯 **Security Checklist** ### **🔐 Pre-Deployment Checklist** * [ ] Images scanned for vulnerabilities * [ ] Non-root user configured * [ ] Resource limits set * [ ] Read-only filesystem where possible * [ ] Security contexts applied * [ ] Network policies configured * [ ] Secrets encrypted * [ ] RBAC permissions reviewed ### **🌐 Network Security Checklist** * [ ] Default deny network policies * [ ] TLS encryption for all communications * [ ] Ingress security annotations * [ ] Service mesh mTLS enabled * [ ] DNS security implemented * [ ] Load balancer security groups ### **📊 Monitoring Checklist** * [ ] Audit logging enabled * [ ] Falco runtime monitoring * [ ] Security metrics collection * [ ] Alert rules configured * [ ] Log aggregation set up * [ ] Compliance reporting *** ## 🔗 **Referensi** ### **📚 Dokumentasi Resmi** * [Kubernetes Security](https://kubernetes.io/docs/concepts/security/) * [RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) * [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) * [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) ### **🛠️ Security Tools** * [Falco Security](https://falco.org/) * [Trivy Vulnerability Scanner](https://github.com/aquasecurity/trivy) * [Open Policy Agent Gatekeeper](https://github.com/open-policy-agent/gatekeeper) * [HashiCorp Vault](https://www.vaultproject.io/) ### **📖 Security Resources** * [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes) * [Kubernetes Security Best Practices](https://kubernetes.io/docs/concepts/security/security-best-practices/) * [OWASP Kubernetes Security](https://owasp.org/www-project-kubernetes-security/) *** \*🔒 **Keamanan adalah proses berkelanjutan, bukan satu kali implementasi**