Kubernetes Security Checklist
Anjana Silva
Team Lead ?? | Sharing insights on software engineering for your growth ?? Be sure to follow my profile ?? | Cricket enthusiast ??
The following list provides a basic list of Kubernetes security checklist. The following is not an exhaustive list, and some of the things can only be used based on your cluster configuration.
Primarily, the cluster security can be broken down into three main parts, which are authentication security, pod security and the network security.
???????????????????????????? ????????????????
? ????????????:?????????????? group: gives full control over every resource in the cluster and in all namespaces, including the namespace itself (i.e. super-user)
? ????????-????????????????????-??????????????: manages a set of non-terminating loops (i.e. control loops or controllers) that watches the states of the cluster.
? ???????? ??????????????????????: certificate issued by the clusters root CA.
? ???????????????????????? ?????? ???????? ????????????????????????: intermediate - issued by a CA subordinate to the Root CA and helps distribute trust and manage certificate lifecycles and, leaf - the actual certificate used by a specific components, like the API server or an ingress controller.
? ???????? ???????? ??????????????????: such as least privilege, minimise distribution of privileged tokens and so on.
?????? ????????????????
? ???????? ????????????: rights to perform create, update, patch, delete workloads are carefully provided.
? ?????? ???????????????? ??????????????????: policies such as privileged, baseline and restricted, to cover the security spectrum.
?????????????? ??????????: memory limit is set for the workloads with a limit equal or inferior to the request.
? ?????? ????????????: CPU limits to be set on sensitive workloads
? ??????????????, ????????????????, ??????????????: Seccomp - a secure computing mode which can be used to sandbox the privileges of a process, AppArmor - an easy wat to implement Mandatory Access Control (MAC) and SELinux - security module to provide access control mechanism, in Linux nodes.
领英推荐
?????????????? ????????????????
? ?????? ?????????????? ?????????????? ???????????????? - container network interface plugins for cluster networking that supports network policies. e.g. Flannel, Calico, Weave Net and so on.
? ?????????????? ?????? ???????????? ?????????????? ???????????????? - ingress is incoming traffic to the pod, and egress is outgoing traffic from the pod. Network policies such as controlling traffic flow at the IP address or port level for TCP, UDP, and SCTP protocols must be in place.
? ?????????????? ?????????????? ???????????????? - default network policies within each namespace, selecting all pods, denying everything, are in place.
? ?????????????? ???????? - if appropriate, a service mesh is used to encrypt all communications inside of the cluster.
? ???????????????????? ??????, ?????????????? ?????? ?????? ???????? - Kubernetes API is an HTTP API that lets end users, different parts of your cluster, and external components communicate with one another. Kubelet API is used to get information about pods (and more) on a node. An etcd is a consistent and highly-available key value store for storing all cluster data. Ensure these are not exposed publicly over the Internet.
????????????? ???? ?????? ?????????? ???????????????? ?????? - metadata API gives you access to details such as cluster type and version, pod name, pod namespace, pod UUID and so on over a Rest API. Therefore, ensure appropriate security measurements are in place.
If we put all these into one diagram, it would look like this,
I believe you have learned something new. Let me know what you think of this article. I am curious to hear your feedback ??
------------
? Share this article with your colleagues/friends if you found this useful. It means the world to me ??
Let's learn and grow together ??
Have a great day!