Aqua Blog

Kubernetes Version 1.23: What’s New for Security? 

Kubernetes Version 1.23: What’s New for Security? 

Like clockwork, a new Kubernetes release is upon us, with loads of interesting new features. A couple of the key features in Kubernetes 1.23 are hitting the beta level and will be enabled by default. In this post, we’ll explain what they mean for security, both in terms of improving cluster security and what you need to account for as new clusters are rolled out with this version. 

Support for ephemeral containers 

One of the challenges of maintaining a containerized application has always been how you troubleshoot it. When trying to keep image sizes down, there’s pressure not to include many diagnostics tools in the images, but that can cause problems when troubleshooting production issues. Ephemeral containers aim to solve this problem by allowing temporary containers to be added to running pods to facilitate problem diagnosis and troubleshooting. 

From a Kubernetes security standpoint, this has an immediate benefit. We can now slim down base container images that might in the past have needed tooling to be included. That reduces the attack surface and makes vulnerability management easier. 

However, there’s some work to be done when implementing this feature. If a cluster uses admission controllers to manage the workload’s security, the policies used will need to be updated to include support for ephemeral containers. Otherwise, there’s a risk that the controls could be bypassed. 

The reason is that ephemeral containers use a separate section inside the pod specification. Most admission controller rules are designed to look in the container and initContainer specifications for security configuration information, so they will need to be updated to include the ephemeralContainer section of the pod specification. 

Windows HostProcess containers 

Another feature that’s hitting beta in version 1.23 is HostProcess containers for Windows. Adding this feature will enable several use cases in the Windows containers world, allowing for management of host resources from a container. HostProcess containers allow for access to the underlying host as privileged users such as NT AUTHORITYSYSTEM. 

But there are a couple of things to be aware of from a security standpoint. The first is that companies using Windows containers will need to ensure that rights to create privileged containers are carefully controlled. Previously, easy privilege-escalation routes from Windows containers to the underlying host were limited. But with this new feature, an attacker that can create a new Windows container may also be able to get wide access to the underlying host. 

Another area where some security work may be required is similar to the ephemeral containers feature. Admission controllers used by Kubernetes clusters will need to be updated to account for this feature, as it doesn’t re-use existing settings like privileged, but instead uses a new hostProcess setting. More details are available in the Kubernetes documentation. 

It’s also worth noting that for clusters that still use the deprecated Pod Security Policy feature, there is no direct support for limiting Windows HostProcess containers. At the moment, it may still be possible to control them indirectly by blocking other features required by HostProcess containers, such as host network access, but this isn’t a recommended long-term solution. 

PodSecurity admission controller graduated to beta 

With the deprecation of PodSecurityPolicy in Kubernetes 1.21, there has been a need for an in-tree replacement to supplement the external admission controller solutions that are available to help manage pod security. 

This feature is focused on providing an easy-to-use pod security facility. It allows for cluster administrators to set one of the three pod security standard levels at a Kubernetes namespace level and should be a good match for simpler cluster configurations. It’s worth evaluating whether this is a good match for your requirements or if a more flexible solution is required. 

Conclusion

As with every Kubernetes release, there are things you should consider from a security standpoint. While new improvements can help make your clusters more secure, it’s important to think about updates to your policies and controls to make sure they take account of those new features.

Rory McCune
Rory was a Cloud Native Security Advocate at Aqua. He has worked in the Information and IT Security arena for the last 20 years in a variety of roles. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA.