How to Secure Your Node.js Containers on Kubernetes With Best Practices

Rate this content
Bookmark

Learn security best practices for Kubernetes and especially for securing applications built with NodeJS running on Kubernetes. We will talk about securing the cluster, your Node.js containers, and more. We will also look at how to use OIDC to secure access to the clusters.

This talk has been presented at DevOps.js Conf 2022, check out the latest edition of this JavaScript Conference.

FAQ

Role-Based Access Control (RBAC) is a widely used security mechanism in Kubernetes that allows defining different permissions based on user roles within an organization. It helps in implementing security policies that closely match an organization's structure and is most effective in medium to large organizations.

OpenID Connect (OIDC) is a secure and scalable authentication protocol that provides a single sign-on solution for Kubernetes cluster access. It simplifies onboarding and off-boarding processes by allowing user management through the OIDC provider, eliminating the need to manage sensitive data like passwords directly in the cluster.

Secrets in Kubernetes are used to manage and store sensitive information such as passwords, tokens, and keys securely. They can be mounted as data volumes or exposed as environment variables within containers, ensuring that sensitive data is handled securely and is not exposed in plaintext.

Regularly updating Kubernetes helps in addressing bugs, security vulnerabilities, and ensuring compatibility with the latest features. Staying current with updates is crucial to maintaining the security and efficiency of the cluster, especially to protect against known vulnerabilities and exploits.

Isolating workloads into different namespaces aids in managing permissions and access control more effectively. It allows for finer-grained security policies and limits the potential impact of security breaches, as compromised resources in one namespace won't affect others.

Using minimal and up-to-date base images reduces the attack surface by eliminating unnecessary packages and vulnerabilities. This practice also ensures that containers are lightweight and only contain essential functionalities, which enhances both security and performance.

Monitoring and auditing provide visibility into the activities and health of the Kubernetes cluster. They help in detecting abnormal behaviors or potential security breaches early, allowing for quick mitigation actions and ensuring compliance with security policies.

Deepu K Sasidharan
Deepu K Sasidharan
34 min
24 Mar, 2022

Comments

Sign in or register to post your comment.

Video Summary and Transcription

Today's talk is about securing Kubernetes containers, especially for Node.js. The best practices for securing Kubernetes include using RBAC, OIDC, and secrets, as well as isolating workloads and securing container images. OADC is recommended for authentication in Kubernetes, and securing the Kubernetes cluster is crucial. Cloud-based Kubernetes clusters can utilize OADC or the default authentication mechanism provided by the cloud provider. Managing team size and dealing with different security philosophies are important considerations. Overall, securing Kubernetes is essential for protecting the infrastructure and data.

1. Introduction to Kubernetes Security

Short description:

Today's talk is about securing Kubernetes containers, especially for Node.js. Regardless of how you run your Kubernetes clusters, you need to ensure their security. Introductions: I'm Deepu K. Sashidharan, co-lead of jHipster, creator of kdash, and a developer advocate at Okta. Follow me on Twitter and check out my blog and book about jHipster.

Hello everyone. Welcome to my talk. Today I'm going to talk about securing your Kubernetes containers, especially for Node.js. If you're a DevOps engineer, there's a good chance that you're maintaining either an on-prem Kubernetes cluster or a PaaS like EKS, AKS or GKE. But regardless of how you run your Kubernetes clusters, you need to make sure that they are secure.

But first, introductions. My name is Deepu K. Sashidharan. I'm the co-lead of jHipster. I also created a nifty dashboard called kdash for Kubernetes. I'm an open-source aficionado, a Polyglot developer and a Java champion. I work as a developer advocate at Okta with a focus on DevOps. I also write frequently about languages and tech on my blog. You can find it on deepu.tech. Please do follow me on Twitter if you are interested in my content. I have written a book about jHipster. If you like this talk, you might like the book as well. So please do check it out.

2. Understanding Kubernetes Security

Short description:

Before we talk about securing Kubernetes or before we talk about security best practices in Kubernetes, it is important for us to have a basic understanding of Kubernetes security. Like any other complex piece of software, security in Kubernetes is multifold. TLS is used to ensure transport security and authentication and authorization can be done using multiple mechanisms in Kubernetes. Kubernetes comes with many security options out of the box, as we saw. But to bulletproof your infrastructure, you need to consider many more security best practices.

Before we talk about securing Kubernetes or before we talk about security best practices in Kubernetes, it is important for us to have a basic understanding of Kubernetes security. Like any other complex piece of software, security in Kubernetes is multifold. It can be broadly categorized into four layers. The transport security, authentication, authorization, and admission control.

TLS is used to ensure transport security and authentication and authorization can be done using multiple mechanisms in Kubernetes. There is also a possibility of adding custom admission control modules to add further policies and security in Kubernetes. So these are the things that are available out of the box in Kubernetes.

Kubernetes comes with many security options out of the box, as we saw. But to bulletproof your infrastructure, you need to consider many more security best practices. Today, we'll look into some of the vital security best practices. You can also find a similar blog for me in the link provided in this slide. So please do check that out if you want to read a bit more info about these.

QnA

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Routing in React 18 and Beyond
React Summit 2022React Summit 2022
20 min
Routing in React 18 and Beyond
Top Content
Routing in React 18 brings a native app-like user experience and allows applications to transition between different environments. React Router and Next.js have different approaches to routing, with React Router using component-based routing and Next.js using file system-based routing. React server components provide the primitives to address the disadvantages of multipage applications while maintaining the same user experience. Improving navigation and routing in React involves including loading UI, pre-rendering parts of the screen, and using server components for more performant experiences. Next.js and Remix are moving towards a converging solution by combining component-based routing with file system routing.
Levelling up Monorepos with npm Workspaces
DevOps.js Conf 2022DevOps.js Conf 2022
33 min
Levelling up Monorepos with npm Workspaces
Top Content
NPM workspaces help manage multiple nested packages within a single top-level package, improving since the release of NPM CLI 7.0. You can easily add dependencies to workspaces and handle duplications. Running scripts and orchestration in a monorepo is made easier with NPM workspaces. The npm pkg command is useful for setting and retrieving keys and values from package.json files. NPM workspaces offer benefits compared to Lerna and future plans include better workspace linking and adding missing features.
A Practical Guide for Migrating to Server Components
React Advanced Conference 2023React Advanced Conference 2023
28 min
A Practical Guide for Migrating to Server Components
Top Content
Watch video: A Practical Guide for Migrating to Server Components
React query version five is live and we'll be discussing the migration process to server components using Next.js and React Query. The process involves planning, preparing, and setting up server components, migrating pages, adding layouts, and moving components to the server. We'll also explore the benefits of server components such as reducing JavaScript shipping, enabling powerful caching, and leveraging the features of the app router. Additionally, we'll cover topics like handling authentication, rendering in server components, and the impact on server load and costs.
Automating All the Code & Testing Things with GitHub Actions
React Advanced Conference 2021React Advanced Conference 2021
19 min
Automating All the Code & Testing Things with GitHub Actions
Top Content
We will learn how to automate code and testing with GitHub Actions, including linting, formatting, testing, and deployments. Automating deployments with scripts and Git hooks can help avoid mistakes. Popular CI-CD frameworks like Jenkins offer powerful orchestration but can be challenging to work with. GitHub Actions are flexible and approachable, allowing for environment setup, testing, deployment, and custom actions. A custom AppleTools Eyes GitHub action simplifies visual testing. Other examples include automating content reminders for sharing old content and tutorials.
Fine-tuning DevOps for People over Perfection
DevOps.js Conf 2022DevOps.js Conf 2022
33 min
Fine-tuning DevOps for People over Perfection
Top Content
DevOps is a journey that varies for each company, and remote work makes transformation challenging. Pull requests can be frustrating and slow, but success stories like Mateo Colia's company show the benefits of deploying every day. Challenges with tools and vulnerabilities require careful consideration and prioritization. Investing in documentation and people is important for efficient workflows and team growth. Trust is more important than excessive control when deploying to production.
The New Next.js App Router
React Summit 2023React Summit 2023
27 min
The New Next.js App Router
Watch video: The New Next.js App Router
Today's Talk is about the Next.js App Router, which has evolved over the years and is now a core feature of Next.js. The Talk covers topics such as adding components, fetching remote data, and exploring layouts. It also discusses submitting form data, simplifying code, and reusing components. The App Router allows for coexistence with the existing pages router and enables data fetching at the layout level using React Server Components.

Workshops on related topic

Build a Headless WordPress App with Next.js and WPGraphQL
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
WorkshopFree
Kellen Mace
Kellen Mace
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
Next.js 13: Data Fetching Strategies
React Day Berlin 2022React Day Berlin 2022
53 min
Next.js 13: Data Fetching Strategies
Top Content
WorkshopFree
Alice De Mauro
Alice De Mauro
- Introduction- Prerequisites for the workshop- Fetching strategies: fundamentals- Fetching strategies – hands-on: fetch API, cache (static VS dynamic), revalidate, suspense (parallel data fetching)- Test your build and serve it on Vercel- Future: Server components VS Client components- Workshop easter egg (unrelated to the topic, calling out accessibility)- Wrapping up
Create a Visually Editable Next.js Website Using React Bricks, With Blog and E-commerce
React Summit 2023React Summit 2023
139 min
Create a Visually Editable Next.js Website Using React Bricks, With Blog and E-commerce
Top Content
WorkshopFree
Matteo Frana
Matteo Frana
- React Bricks: why we built it, what it is and how it works- Create a free account- Create a new project with Next.js and Tailwind- Explore the directory structure- Anatomy of a Brick- Create a new Brick (Text-Image)- Add a title and description with RichText visual editing- Add an Image with visual editing- Add Sidebar controls to edit props (padding and image side)- Nesting Bricks using the Repeater component- Create an Image gallery brick- Publish on Netlify or Vercel- Page Types and Custom fields- Access Page meta values- Internationalization- How to reuse content across pages: Stories and Embeds- How to create an E-commerce with Products’ data from an external database and landing pages created visually in React Bricks- Advanced enterprise features: flexible permissions, locked structure, custom visual components
From Todo App to B2B SaaS with Next.js and Clerk
React Summit US 2023React Summit US 2023
153 min
From Todo App to B2B SaaS with Next.js and Clerk
WorkshopFree
Dev Agrawal
Dev Agrawal
If you’re like me, you probably have a million side-project ideas, some that could even make you money as a micro SaaS, or could turn out to be the next billion dollar startup. But how do you know which ones? How do you go from an idea into a functioning product that can be put into the hands of paying customers without quitting your job and sinking all of your time and investment into it? How can your solo side-projects compete with applications built by enormous teams and large enterprise companies?
Building rich SaaS products comes with technical challenges like infrastructure, scaling, availability, security, and complicated subsystems like auth and payments. This is why it’s often the already established tech giants who can reasonably build and operate products like that. However, a new generation of devtools are enabling us developers to easily build complete solutions that take advantage of the best cloud infrastructure available, and offer an experience that allows you to rapidly iterate on your ideas for a low cost of $0. They take all the technical challenges of building and operating software products away from you so that you only have to spend your time building the features that your users want, giving you a reasonable chance to compete against the market by staying incredibly agile and responsive to the needs of users.
In this 3 hour workshop you will start with a simple task management application built with React and Next.js and turn it into a scalable and fully functioning SaaS product by integrating a scalable database (PlanetScale), multi-tenant authentication (Clerk), and subscription based payments (Stripe). You will also learn how the principles of agile software development and domain driven design can help you build products quickly and cost-efficiently, and compete with existing solutions.
Building Reusable Server Components in NextJS
React Summit US 2023React Summit US 2023
88 min
Building Reusable Server Components in NextJS
Workshop
Will Bishop
Mettin Parzinski
2 authors
React continues to evolve their beta capability, React Server Components, and they're continuing to further develop them in partnership with frameworks like NextJS.In this workshop, attendees will learn what React Server Components are, how to effectively build and use them in NextJS, and focus on one of the major advantages of React/NextJS: reusability through components.We will also cover related beta technologies enabled by the `app` directory, such as nested layouts and server actions (alpha/experimental capability).Join us for this hands-on, 120 minute workshop!Technologies:
React, JavaScript/Typescript, NextJS, Miro
Building Blazing-Fast Websites with Next.js and Sanity.io
React Summit 2023React Summit 2023
71 min
Building Blazing-Fast Websites with Next.js and Sanity.io
WorkshopFree
Nancy Du
Nataliya Ioffe
2 authors
Join us for a hands-on workshop where we'll show you how to level up your React skills to build a high-performance headless website using Next.js, Sanity, and the JAMstack architecture. No prior knowledge of Next.js or Sanity is required, making this workshop ideal for anyone familiar with React who wants to learn more about building dynamic, responsive websites.
In this workshop, we'll explore how Next.js, a React-based framework, can be used to build a static website with server-side rendering and dynamic routing. You'll learn how to use Sanity as a headless CMS to manage your website’s content, create custom page templates with Next.js, use APIs to integrate with the CMS, and deploy your website to production with Vercel.
By the end of this workshop, you will have a solid understanding of how Next.js and Sanity.io can be used together to create a high-performance, scalable, and flexible website.