Securing Kubernetes CSI Drivers

Container Storage Interface (CSI) drivers enable Kubernetes to manage persistent storage across different backends. Insecure CSI configurations can expose sensitive data, enable privilege escalation, or allow unauthorized volume modifications. Implementing strict access controls and security best practices is essential to protect storage resources.

1. Restrict Persistent Volume Attachment to Authorized Pods

Issue: If Persistent Volumes (PVs) and Persistent Volume Claims (PVCs) can be freely reattached, attackers may gain access to sensitive data.
Fix: Restrict volume attachment to specific workloads.

Secure Storage Class Configuration

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: secure-storage
provisioner: kubernetes.io/aws-ebs
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: false
parameters:
  encrypted: "true"
  fsType: ext4

Why It Matters

Prevents unauthorized workloads from mounting sensitive volumes.
Ensures that storage resources are only provisioned when needed.

2. Enforce RBAC Controls on CSI Drivers

Issue: If CSI drivers are not properly restricted, attackers can list, delete, or modify storage resources.
Fix: Use Role-Based Access Control (RBAC) to limit access to CSI operations.

Secure CSI Driver RBAC Policy

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kube-system
  name: csi-driver-restrict
rules:
  - apiGroups: ["storage.k8s.io"]
    resources:
      [
        "csidrivers",
        "csinodeinfos",
        "persistentvolumes",
        "persistentvolumeclaims",
      ]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: kube-system
  name: restrict-csi-access
subjects:
  - kind: ServiceAccount
    name: csi-driver-sa
    namespace: kube-system
roleRef:
  kind: Role
  name: csi-driver-restrict
  apiGroup: rbac.authorization.k8s.io

Why It Matters

Prevents unauthorized users from modifying CSI configurations.
Restricts storage actions to necessary workloads only.

3. Disable Privileged CSI Drivers

Issue: Some CSI plugins run with privileged access, allowing potential container escapes.
Fix: Disable privileged mode and enforce strict security contexts.

Secure CSI Driver Deployment

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: secure-csi-driver
  namespace: kube-system
spec:
  template:
    spec:
      containers:
        - name: csi-driver
          securityContext:
            privileged: false
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]

Why It Matters

Prevents attackers from exploiting CSI plugins to escalate privileges.
Reduces the risk of host filesystem access through storage operations.

4. Enforce Read-Only Volume Access for Sensitive Data

Required knowledge for the CKS certification.

Issue: If volumes containing sensitive data are mounted with ReadWriteMany (RWX), attackers can modify or inject malicious content.
Fix: Use ReadOnlyMany (ROX) for sensitive workloads.

Secure PVC Definition

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: secure-pvc
  namespace: secure-app
spec:
  accessModes:
    - ReadOnlyMany
  resources:
    requests:
      storage: 10Gi

Why It Matters

Prevents unauthorized modification of stored data.
Ensures critical storage remains immutable.

5. Enable Encryption for Persistent Volumes

Issue: Unencrypted storage volumes expose sensitive data if accessed by unauthorized users.
Fix: Use encryption at rest for all persistent volumes.

Secure Encrypted Storage (AWS EBS Example)

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: encrypted-storage
provisioner: kubernetes.io/aws-ebs
parameters:
  encrypted: "true"
  kmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/my-key"

Why It Matters

Protects data even if storage is compromised.
Ensures compliance with encryption standards.

6. Monitor and Audit CSI Driver Activity

Issue: Without monitoring, attacks on CSI drivers may go undetected.
Fix: Enable audit logging and monitor storage access.

Enable Kubernetes Audit Logging for Storage Events

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: Metadata
    verbs: ["create", "delete", "patch", "update"]
    resources:
      - group: "storage.k8s.io"
        resources: ["persistentvolumes", "persistentvolumeclaims", "csidrivers"]

Why It Matters

Detects unauthorized storage access or modifications.
Provides visibility into CSI driver activity.

Conclusion

To secure Kubernetes CSI drivers, administrators should enforce strict RBAC controls, disable privileged mode, restrict volume access, enable encryption, and monitor storage activity. These best practices ensure secure storage provisioning and prevent unauthorized data access.

1. Restrict Persistent Volume Attachment to Authorized Pods​

Secure Storage Class Configuration​

Why It Matters​

2. Enforce RBAC Controls on CSI Drivers​

Secure CSI Driver RBAC Policy​

Why It Matters​

3. Disable Privileged CSI Drivers​

Secure CSI Driver Deployment​

Why It Matters​

4. Enforce Read-Only Volume Access for Sensitive Data​

Secure PVC Definition​

Why It Matters​

5. Enable Encryption for Persistent Volumes​

Secure Encrypted Storage (AWS EBS Example)​

Why It Matters​

6. Monitor and Audit CSI Driver Activity​

Enable Kubernetes Audit Logging for Storage Events​

Why It Matters​

Conclusion​

1. Restrict Persistent Volume Attachment to Authorized Pods

Secure Storage Class Configuration

Why It Matters

2. Enforce RBAC Controls on CSI Drivers

Secure CSI Driver RBAC Policy

Why It Matters

3. Disable Privileged CSI Drivers

Secure CSI Driver Deployment

Why It Matters

4. Enforce Read-Only Volume Access for Sensitive Data

Secure PVC Definition

Why It Matters

5. Enable Encryption for Persistent Volumes

Secure Encrypted Storage (AWS EBS Example)

Why It Matters

6. Monitor and Audit CSI Driver Activity

Enable Kubernetes Audit Logging for Storage Events

Why It Matters

Conclusion