Benjamin Kušen
December 15, 2023

Kubernetes 1.29 From a Security Perspective

Kubernetes 1.29 offers a vast array of new features to bolster your security. Read on to learn everything about it.

Kubernetes 1.29 marks the conclusive release by the Kubernetes team for 2023. This latest release introduces 49 enhancements, encompassing a multitude of beta and stable features alongside a substantial number of bug fixes. As security professionals dedicated to Kubernetes, we have thoroughly examined this release to identify the most noteworthy security-centric features and improvements. This post was written for users who want to know more about security, and how these features can be used to bolster it in the future. 

It is necessary to grasp both the nature and the implications of these improvements to appreciate the significance of the Kubernetes cluster. Each enhancement is a unique element, collectively building towards a comprehensive picture of a more secure, efficient, and reliable Kubernetes environment.

Overall Improvements

Kubernetes 1.29 introduces a series of general enhancements that, while not exclusively focused on security, significantly contribute to the security posture of Kubernetes clusters by improving reliability, resource management, and operational efficiency. These enhancements extend their impact across multiple Kubernetes clusters, fostering a cohesive environment that ensures consistent and heightened security across diverse infrastructure setups.

Resource Metrics Endpoint (Stable)

This new feature exposes node resource metrics about primary resources, facilitating more efficient resource management. This enhances security by enabling operators to identify and prevent resource starvation, a potential vector for certain types of attacks. By ensuring clusters operate efficiently and allocate resources appropriately, developers can mitigate scenarios where critical workloads are under-resourced.

Learn more: KEP-727.

Pod Lifecycle Sleep Action (Alpha)

The introduction of a sleep action to delay pod termination is invaluable for debugging and aids in the shutdown of services. This feature allows administrators to inspect and capture pod states before termination, offering valuable insights for identifying and addressing security issues.

<pre class="codeWrap"><code>apiVersion: v1
kind: Pod
metadata:
 name: my-debug-pod
spec:
 containers:
 - name: my-container
   image: my-image
 lifecycle:
   preStop:
     sleep:
       duration: "60s"  # Delay termination by 60 seconds
</code></pre>

Learn more: KEP-3960

Sidecar Containers (Beta)

Sidecar containers aka auxiliary containers that augment primary containers, benefit from improved handling of their lifecycle events. This ensures more reliable management of logging, monitoring, and security agents running as sidecars.

The default enabling of sidecar containers in this version, along with the ability to terminate them in reverse order to startup, enhances the reliability of these critical services throughout the main application's lifecycle.

They are defined as init container with a specific restart policy:

<pre class="codeWrap"><code>apiVersion: v1
kind: Pod
metadata:
 name: my-pod
spec:
 initContainers:
 - name: proxy
   image: envoy:latest    # Unlike other init containers, this init container will be always running:
   restartPolicy: Always
           …
</code></pre>

Learn more: KEP-753

Transition SPDY to WebSockets (Alpha)

This change plans to deprecate SPDY in favor of WebSockets for Kubernetes API server communications. WebSockets provide a more modern and scalable protocol, potentially enhancing the overall reliability and maintainability of Kubernetes communications. This shift contributes to security by ensuring robust and well-supported communication protocols within Kubernetes.

Learn more: KEP-4006

Strengthening of Security

Building upon the solid foundation of general enhancements in Kubernetes 1.29, the release focuses on features explicitly designed to enhance the security of the Kubernetes ecosystem. These enhancements target critical aspects of cloud-native security, including authentication, authorization, and secure workload management.

Structured Authorization Configuration (Alpha)

Traditionally managed through RBAC, authorization in Kubernetes transforms by introducing a more structured configuration model. This model enhances manageability and traceability, simplifying security audits and facilitating the enforcement and verification of access policies.

The following configuration, for instance, protects CRDs in the kube-system namespace from deletion:

<pre class="codeWrap"><code>apiVersion: apiserver.config.k8s.io/v1alpha1
kind: AuthorizationConfiguration
authorizers:
 - type: Webhook
   name: crd-protector
   webhook:
    ...
     failurePolicy: Deny
     ...
     matchConditions:
     - expression: has(request.resourceAttributes)
     - expression: request.resourceAttributes.namespace == 'kube-system'
     - expression: request.resourceAttributes.verb in ['update', 'delete','deletecollection']
 - type: Node
 - type: RBAC
</code></pre>

Learn more: KEP-3221

Bound Service Account Token Improvements (Alpha)

Enhancing the security of service account tokens, Kubernetes 1.29 binds these tokens to specific pod instances, thwarting potential misuse if exfiltrated. This linkage of service account token use to the pod's lifecycle reduces the window of opportunity for attackers to exploit a stolen token.

Learn more: KEP-4193

Reduction of Secret-Based Service Account Tokens (Beta)

In tandem with the "Bound Service Account Token Improvements" enhancement and narrowing the scope of service account tokens, this improvement seeks to diminish reliance on long-lived secret-based service account tokens.

By limiting the use of these tokens, the potential attack surface is significantly reduced, aligning with the industry trend of short-lived, just-in-time credentials.

Learn more: KEP-2799

Ensure Secret Pulled Images (Alpha)

Container images often contain sensitive components, necessitating secure image pull operations. The new alpha feature ensures that images are always pulled using Kubernetes secrets of the Pod using them.

This is crucial to prevent unauthorized access, as it secures the image pull process, preventing attackers from intercepting or tampering with container images and maintaining workload integrity.

Learn more: KEP-2535

Support for User Namespaces (Alpha)

Introducing support for user namespaces, this alpha enhancement enhances Kubernetes security by allowing more granular control over containerized processes. This provides better isolation and separation of workloads, thereby reducing the risk of privilege escalation attacks.

Enabling a user namespace for a pod, for instance, is achieved by setting the hostUsers field:

<pre class="codeWrap"><code>apiVersion: v1
kind: Pod
metadata:
 name: my-pod
spec:
 hostUsers: false
 containers:
 - name: shell
   command: ["sleep", "infinity"]
   image: debian
</code></pre>

Learn more: 

Structured Authentication Configuration (Alpha)

In tandem with the authorization counterpart, Kubernetes 1.29 introduces another alpha feature for structured configuration for authentication mechanisms. This enhancement provides users with a more maintainable and secure approach to managing authentication, allowing administrators to implement complex authentication schemes more efficiently and with fewer errors.

With the new enhancement, configuring multiple OIDC providers, clients, and validation rules is now possible:

<pre class="codeWrap"><code>apiVersion: apiserver.config.k8s.io/v1alpha1
kind: AuthenticationConfiguration
jwt:
- issuer:
 claimValidationRules:
 ...  
- expression: 'claims.exp - claims.nbf <= 86400'
   message: total token lifetime must not exceed 24 hours  
claimMappings:
   username:
     expression: 'claims.username + ":external-user"'
   groups:
     expression: 'claims.roles.split(",")'
      …
 userValidationRules:
 - expression: "!user.username.startsWith('system:')"
   message: username cannot used reserved system: prefix
 - expression: "user.groups.all(group, !group.startsWith('system:'))"
   message: groups cannot used reserved system: prefix

</code></pre>

Learn more: KEP-3331

KMS v2 Improvements (Stable)

Critical for the secure management and encryption of secrets, the Kubernetes Key Management Service (KMS) undergoes stable improvements in the 1.29 release. Focusing on enhancing the KMS plugin framework, these improvements ensure that Kubernetes secrets remain a robust and secure method for storing sensitive information.

Learn more: KEP-3299

Final Verdict

The Kubernetes 1.29 release underscores the community's commitment to continuous improvement, introducing various updates that enhance stability and efficiency. From a security perspective, we've highlighted how the release contributes to the fortification of Kubernetes, addressing emerging threats in the landscape.

For a comprehensive overview of v1.29's new features and impact, visit the Kubernetes project's official blog and GitHub repository.

Facing Challenges in Cloud, DevOps, or Security?
Let’s tackle them together!

get free consultation sessions

In case you prefer e-mail first:

Thank you! Your message has been received!
We will contact you shortly.
Oops! Something went wrong while submitting the form.
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information. If you wish to disable storing cookies, click here.