When deploying NCP, it is important to take steps to secure both the Kubernetes and the NSX environments.
Restrict NCP to Run Only on Designated Nodes
NCP has access to the NSX management plane and should be restricted to run only on designated infrastructure nodes. You can identify these nodes with an appropriate label. A nodeSelector for this label should then be applied to the NCP ReplicationController specification/ For example,
nodeSelector: nsx-infra: True
You can also use other mechanisms, such as affinity, to assign pods to nodes. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node.
Ensure that the Docker Engine is Up To Date
Docker periodically releases security updates. An automated procedure should be implemented to apply these updates.
Disallow NET_ADMIN and NET_RAW Capabilities of Untrusted Containers
Linux capabilities NET_ADMIN and NET_RAW can be exploited by attackers to compromise the pod network. You should disable these two capabilities of untrusted containers. By default, NET_ADMIN capability is not granted to a non-privileged container. Be wary if a pod specification explicitly enables it or sets the container to be in a privileged mode. In addition, for untrusted containers, disable NET_RAW by specifying NET_RAW in the list of dropped capabilities in the SecurityContext configuration of the container's specification. For example,
securityContext: capabilities: drop: - NET_RAW - ...
Role-Based Access Control
Kubernetes uses Role-Based Access Control (RBAC) APIs to drive authorization decisions, allowing administrators to dynamically configure policies. For more information, see the Kubernetes documentation about RBAC.
Typically, the cluster administrator is the only user with privileged access and roles. For user and service accounts, the principle of least privilege must be followed when granting access.
The following guidelines are recommended:
- Restrict access to Kubernetes API tokens to pods which need them.
- Restrict access to NCP ConfigMap and NSX API client certificate's TLS secrets to the NCP pod.
- Block access to Kubernetes networking API from pods that do not require such access.
- Add a Kubernetes RBAC policy to specify which pods can have access to the Kubernetes API.
The recommended RBAC policy is already in the NCP YAML file and will be effective when you install NCP.