DigitalOcean Kubernetes Security Information

DigitalOcean Kubernetes (DOKS) is a managed Kubernetes service that lets you deploy Kubernetes clusters without the complexities of handling the control plane and containerized infrastructure. Clusters are compatible with standard Kubernetes toolchains, integrate natively with DigitalOcean Load Balancers and volumes, and can be managed programmatically using the API and command line. For critical workloads, add the high-availability control plane to increase uptime with 99.95% SLA.

Is there an option to restrict the access for the Kubernetes API by IP addresses?

Not today.

How can we get the latest OS version and patch-level information on worker nodes, so we can check OS and kernel versions for 0-day exploits or other CVE vulnerabilities?

You need to use a privileged pod configured to gain access to the underlying system of the worker node.

How do you keep the worker nodes secure?

The worker node system is updated when clusters are upgraded. This is one important reason to enable auto-upgrades on your cluster. The changelog has the set of images released over time with the things that changed.

How can I run additional security tooling on worker nodes?

You can run additional security tooling on worker nodes as privileged DaemonSets.

How can I reasonably make sure there are no known exploits in the images running on the Droplets?

Security-scanning services are built into some image registries such as Docker Hub and Quay. You can also use an independent scanner such as Anchore, WhiteSource, or Clair. Be sure not to import open-source code in tarballs and instead use a package from a public repository so the scanner is more likely to recognize it.

What are my options for authentication?

DOKS offers token-based authorization (recommended) and supports certificates for legacy clusters. For more details, see Connect to a Cluster.

Where can I read some security best practices for Kubernetes in general (rather than DOKS in specific?)

We recommend consulting the CNCF’s security recommendations, and reading Securing a Cluster and Overview of Cloud Native Security in the Kubernetes documentation.