Securing the Orchestration Control Plane
Securing the Orchestration Control Plane
The orchestration control plane represents the most critical security target in containerized infrastructure. Compromise of master nodes or the control plane API grants attackers complete cluster control. Both Docker Swarm managers and Kubernetes master components require stringent security measures including network isolation, strong authentication, and comprehensive audit logging. Understanding control plane architecture enables appropriate security controls.
Docker Swarm's control plane uses Raft consensus for distributed state management. Manager nodes maintain cluster state and make scheduling decisions. The Swarm API endpoint requires TLS mutual authentication for security. Manager nodes should run on dedicated hosts without application workloads. Backup and recovery procedures must protect the Swarm state while maintaining security.
#!/bin/bash
# Example: Secure Docker Swarm initialization and configuration
# Initialize Swarm with custom certificates
docker swarm init \
--advertise-addr 10.0.1.10:2377 \
--listen-addr 10.0.1.10:2377 \
--data-path-port 4789 \
--cert-expiry 720h \
--dispatcher-heartbeat 10s
# Configure TLS for Swarm API
mkdir -p /etc/docker/swarm/certs
cd /etc/docker/swarm/certs
# Generate CA certificate
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 \
-out ca.pem -subj "/C=US/ST=State/L=City/O=Company/CN=swarm-ca"
# Generate server certificate
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=swarm-manager" -sha256 -new \
-key server-key.pem -out server.csr
# Create extensions file
cat > extfile.cnf <<EOF
subjectAltName = DNS:swarm-manager,DNS:*.swarm.local,IP:10.0.1.10,IP:127.0.0.1
extendedKeyUsage = serverAuth
EOF
# Sign server certificate
openssl x509 -req -days 365 -sha256 -in server.csr \
--CA ca.pem -CAkey ca-key.pem -out server-cert.pem \
-extfile extfile.cnf -CAcreateserial
# Configure Docker daemon for TLS
cat > /etc/docker/daemon.json <<EOF
{
"hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"],
"tls": true,
"tlsverify": true,
"tlscert": "/etc/docker/swarm/certs/server-cert.pem",
"tlskey": "/etc/docker/swarm/certs/server-key.pem",
"tlscacert": "/etc/docker/swarm/certs/ca.pem",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"storage-driver": "overlay2",
"metrics-addr": "127.0.0.1:9323",
"experimental": false
}
EOF
# Restart Docker with new configuration
systemctl restart docker
# Configure firewall rules for Swarm
# Management plane
iptables -A INPUT -p tcp --dport 2377 -j ACCEPT -m comment --comment "Docker Swarm management"
iptables -A INPUT -p tcp --dport 7946 -j ACCEPT -m comment --comment "Docker Swarm node communication"
iptables -A INPUT -p udp --dport 7946 -j ACCEPT -m comment --comment "Docker Swarm node communication"
iptables -A INPUT -p udp --dport 4789 -j ACCEPT -m comment --comment "Docker Swarm overlay network"
# Restrict API access to specific networks
iptables -A INPUT -p tcp --dport 2376 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 2376 -j DROP
# Enable audit logging
echo "Configuring audit logging..."
auditctl -w /var/lib/docker/swarm -p rwxa -k docker-swarm
auditctl -w /etc/docker -p wa -k docker-config
Kubernetes control plane security requires protecting multiple components including the API server, etcd, controller manager, and scheduler. Each component has specific security requirements. The API server serves as the primary security enforcement point. etcd stores all cluster state requiring encryption at rest. Controller manager and scheduler need service account tokens with minimal permissions.