Security
Considerations
When deploying
NCP, it is important to take steps to secure both the Kubernetes and the
NSX-T Data
Center
environments.
Restrict NCP to Run
Only on Designated Nodes
NCP has access to the
NSX-T Data
Center
management plane and should be restricted to run only on designated
infrastructure nodes. You can identify these nodes with an appropriate label. A
nodeSelector for this label should then be applied to the NCP
ReplicationController specification/ For example,
nodeSelector: nsx-infra: True
You can also use other
mechanisms, such as affinity, to assign pods to nodes. For more information,
see
https://kubernetes.io/docs/concepts/configuration/assign-pod-node.
Ensure that the Docker
Engine is Up To Date
Docker periodically releases
security updates. An automated procedure should be implemented to apply these
updates.
Disallow NET_ADMIN and
NET_RAW Capabilities of Untrusted Containers
Linux capabilities NET_ADMIN
and NET_RAW can be exploited by attackers to compromise the pod network. You
should disable these two capabilities of untrusted containers. By default,
NET_ADMIN capability is not granted to a non-privileged container. Be wary if a
pod specification explicitly enables it or sets the container to be in a
privileged mode. In addition, for untrusted containers, disable NET_RAW by
specifying NET_RAW in the list of dropped capabilities in the SecurityContext
configuration of the container's specification. For example,
securityContext: capabilities: drop: - NET_RAW - ...
Role-Based Access
Control
Kubernetes uses Role-Based Access Control (RBAC) APIs
to drive authorization decisions, allowing administrators to dynamically configure
policies. For more information, see the Kubernetes documentation about RBAC.
Typically, the cluster
administrator is the only user with privileged access and roles. For user and
service accounts, the principle of least privilege must be followed when
granting access.
The following guidelines are
recommended:
- Restrict access to Kubernetes API tokens to pods which need them.
- Restrict access to NCP ConfigMap and NSX API client certificate's TLS secrets to the NCP pod.
- Block access to Kubernetes networking API from pods that do not require such access.
- Add a Kubernetes RBAC policy to specify which pods can have access to the Kubernetes API.
The recommended RBAC policy is already in the
NCP YAML file and will be effective when you install NCP.