API Server Hardening | Kubernetes Security

API Server Security Overview

The Kubernetes API server is the central hub for cluster management. It's the gateway through which all cluster operations flow. Securing the API server is paramount as compromised API access means full cluster control.

💡 Key Insight: The API server handles three critical security functions: Authentication (who you are), Authorization (what you can do), and Admission Control (additional policy enforcement).

Authentication Methods

Client Certificate Authentication

Default method for inter-component communication:

X.509 client certificates
Used by kubelets, controllers, schedulers
Requires valid certificate in CN/SAN

Bearer Token Authentication

Authentication using service account tokens:

Service account tokens mounted in pods
Default authentication for applications
Tokens stored in secrets

External Authentication

LDAP/Active Directory
OIDC (OpenID Connect)
Webhook token authentication
OAuth2 proxy

Configuring OIDC

--oidc-issuer-url=https://accounts.google.com
--oidc-client-id=kubernetes.example.com
--oidc-username-claim=email
--oidc-groups-claim=groups
            

Authorization (RBAC)

RBAC Components

Role: Namespace-scoped permissions
ClusterRole: Cluster-wide permissions
RoleBinding: Assigns roles to users/groups in namespace
ClusterRoleBinding: Assigns cluster roles cluster-wide

RBAC Best Practices

Implement least privilege principle
Use namespace isolation
Avoid wildcard permissions (*)
Regular RBAC audits

# Check user permissions
kubectl auth can-i create deployments --as=user@example.com -n production

# Examine RBAC rules
kubectl get rolebindings -A
kubectl get clusterrolebindings
            

Admission Controllers

Built-in Admission Controllers

Controller	Purpose
PodSecurityPolicy	Enforces pod security policies (deprecated, use PSS)
ResourceQuota	Enforces resource limits per namespace
LimitRanger	Enforces resource limits per pod/container
ValidatingAdmissionWebhook	Custom validation via webhooks
MutatingAdmissionWebhook	Custom mutations via webhooks

Enable Essential Admission Controllers

--enable-admission-plugins=PodSecurityPolicy,ResourceQuota,LimitRanger,ValidatingAdmissionWebhook,MutatingAdmissionWebhook
            

Audit Logging

Enable Audit Logging

--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-log-maxsize=100
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
            

Audit Policy Example

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
  resources: ["secrets"]
- level: Metadata
  omitStages:
  - RequestReceived
- level: None
  users: ["system:kube-probe"]
            

API Server Security Checklist

✓ Enable RBAC (not ABAC)
✓ Disable anonymous authentication
✓ Configure audit logging
✓ Enforce admission policies
✓ Use TLS for API server
✓ Restrict API server access
✓ Keep API server updated
✓ Monitor API server logs