Security Best Practices Guide for Kubernetes

<- Back to Security

DigitalOcean Kubernetes (DOKS) is a managed Kubernetes service. Deploy Kubernetes clusters with a fully managed control plane, high availability, autoscaling, and native integration with DigitalOcean Load Balancers and volumes. You can add node pools using shared and dedicated CPUs, and NVIDIA H100 GPUs in a single GPU or 8 GPU configuration. DOKS clusters are compatible with standard Kubernetes toolchains and the DigitalOcean API and CLI.

Kubernetes clusters require a balance of resources in both pods and nodes to maintain high availability and scalability. Please refer to the Kubernetes Best Practices article to help you avoid common disruption problems.

Enable Log Forwarding

Log forwarding allows you to transmit log data from various databases and applications to the log management provider of your choice, including OpenSearch, which is required for this recommendation.

Rationale

As listed in our Log Forwarding is Now Available for DOKS blog, some benefits to enabling log forwarding include:

  • Centralized log management: Log forwarding allows customers to aggregate events across Kubernetes data plane into a centralized system. This makes it easier to manage and access cluster event logs across a distributed Kubernetes environment, rather than searching through individual nodes or containers for log data.

  • Improved monitoring and simplified troubleshooting: With a centralized log management system, this feature allows you to consolidate logs from multiple sources, including DOKS, making it easier to monitor application performance and troubleshoot issues. Logs are crucial for identifying issues in Kubernetes clusters, and a centralized service helps users to pinpoint and resolve errors, performance bottlenecks, or configuration issues by providing a unified view of system activity.

  • Improved altering: By forwarding logs to a log management provider, customers can set up alerts for specific log patterns or errors. This allows them to proactively respond to potential problems or threats before they impact production environments, helping to ensure better reliability.

  • Optimized resource usage: Combining Managed OpenSearch with DOKS helps to ensure that logs are processed, stored, and queries efficiently within a managed system optimized for performance. Both the combination and compatibility alone between DOKS and OpenSearch allows users to offload resource-intensive log aggregation and analysis to a specialized service (OpenSearch), which frees up Kubernetes resources for application workloads.

Impact

Log forwarding has no adverse impacts.

Audit Procedure

Go to the Kubernetes section of the control panel, select the cluster, and click the Settings tab. Log forwarding is not enabled if no destinations are listed.

Remediation Procedure

Please refer to our How to Forward Logs to Managed OpenSearch Database documentation to configure log forwarding.

Back to the top

Back to Security Best Practices Guides Intro


Set and Upgrade Window

You can upgrade DigitalOcean Kubernetes clusters to newer patch versions (for example, 1.20.1 to 1.20.2) as well as new minor versions (for example, 1.19.1 to 1.20.1) in the DigitalOcean Control Panel or in doctl, the command line interface (CLI) tool.

There are two ways to upgrade:

  • On demand. When an upgrade becomes available for DigitalOcean Kubernetes, you can manually trigger the upgrade process. You can upgrade to a new minor version using the manual process, provided you first perform all available patch-level upgrades for your current minor version.

  • Automatically. You can enable automatic upgrades for a cluster that happen within a maintenance window you specify. Automatic updates trigger on new patch versions of Kubernetes and new point releases of DigitalOcean Kubernetes subsystems with non-breaking updates. However, your cluster is not automatically upgraded to new minor Kubernetes versions (for example, 1.19.1 to 1.20.1).

Rationale

Setting a cluster upgrade window has several benefits, including:

  • Alignment with business needs: Businesses can align upgrade schedules with operational priorities to avoid updates during high-traffic times.

  • Improved security: Scheduled upgrades ensure clusters are up-to-date with the latest patches and bug fixes.

Impact

Some applications and dependencies may not be compatible with the latest upgrade. Upgrading your cluster can cause disruptions in the availability of services running in your workloads.

Audit Procedure

Go to the Kubernetes section of the control panel, select the cluster, and click the Settings tab. The Automatically upgrade minor version patches section will say Disabled if you do not have them installed. Please visit the How to Upgrade DOKS Clusters to New Versions documentation for more information.

Remediation Procedure

The default upgrade window is chosen by the DigitalOcean Kubernetes backend to guarantee an even workload across all maintenance windows for optimal processing.

You can specify a different maintenance window in the Settings tab of a cluster. In the Upgrade window section, click Edit to specify a different start time. Upgrade windows are made up of two parts: a time of day and, optionally, a day of the week. For example, you can set your upgrade window to 5 AM any day of the week or to 8 PM on Mondays.

Please visit the How to Upgrade DOKS Clusters to New Versions documentation for more information.

Back to the top

Back to Security Best Practices Guides Intro


Enable High Availability Control Plane

DigitalOcean Kubernetes provides a high availability (HA) option that increases uptime and provides 99.95% SLA uptime for control planes. If you enable high availability for a cluster, multiple replicas of each control plane component are created, ensuring that a redundant replica is available when a failure occurs. This results in additional increased uptime.

Rationale

Enabling the High Availability Control Plane has several benefits, including:

  • Minimized downtime: The redundancy and failover mechanisms of high availability ensure services remain operational.
  • Improved performance: High availability optimizes resource utilization.
  • Resiliency: High Availability automatically detects and replaces unhealthy components and dynamically allocates CPU and memory resources on demand.

Impact

Enabling the High Availability Control Plane offers better resilience, but may increase costs. Once enabled, you cannot disable high availability.

Audit Procedure

Go to the Kubernetes section of the control panel, and click the Overview tab. Scroll down to the Control Pane. The High Availability status will say Not Enabled or Enabled, depending on your settings.

Remediation Procedure

Please refer to our How to Enable High Availability documentation.

Back to the top

Back to Security Best Practices Guides Intro


Additional Recommendations

We recommend further hardening using CIS Kubernetes Benchmark guidelines, and tools like Kyverno. Please keep in mind you cannot directly access or modify the kube-apiserver configuration in DOKS because the control plane is fully managed by DigitalOcean.

Back to the top

Back to Security Best Practices Guides Intro

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.