Security

K8s security tips

General overview
Best practices
Upgrade
Make sure you are using the latest K8s and ETCD versions.
Block ports
Block K8s ports 10250 and 10255
Read-only file systems
securityContext:
  readOnlyRootFilesystem: true
volumes:
  - emptyDir: {}
  name: varlog # Creates RAM based empty-dir
Use https://docs.docker.com/engine/reference/commandline/diff/ to inspect changes to files or directories on a container’s filesystem.
Linux capabilities
Split root superpowers into a series of capabilities, such as:
CAP_FOWNER (used by chmod)
CAP_CHOWN (used by chown)
CAP_NET_RAW (used by ping)
Example 01.
securityContext:
      capabilities:
        drop:
          - all
Example 02.
{
  "Container": {
    "Name": "api",
    "Pod": "api-server-8874923",
    "Namespace": "api"
  },
  "CapabilitiesRequired": [
    {
      "Cap": "CAP_CHOWN",
      "Command": "tar"
    },
    {
      "Cap": "CAP_FOWNER",
      "Command": "tar"
    },
    {
      "Cap": "CAP_FSETID",
      "Command": "tra"
    }
  ]
}
References
​https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/​
Deny Egress by default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector:
    matchLabels:
      app: api-server
  policyTypes:
  - Egress
​

Kubernetes - Previous

Operators

Next - Kubernetes

Volumes

Last modified 3yr ago

Security

General overview

Best practices

Upgrade

Block ports

Read-only file systems

Linux capabilities

References

Deny Egress by default

​