Security

General overview
Best practices
Upgrade
Make sure you are using the latest K8s and ETCD versions.
Block ports
Block K8s ports 10250 and 10255
Read-only file systems
1
securityContext:
2
  readOnlyRootFilesystem: true
3
volumes:
4
  - emptyDir: {}
5
  name: varlog # Creates RAM based empty-dir
Copied!
Use https://docs.docker.com/engine/reference/commandline/diff/ to inspect changes to files or directories on a container’s filesystem.
Linux capabilities
Split root superpowers into a series of capabilities, such as:
CAP_FOWNER (used by chmod)
CAP_CHOWN (used by chown)
CAP_NET_RAW (used by ping)
Example 01.
1
securityContext:
2
      capabilities:
3
        drop:
4
          - all
Copied!
Example 02.
1
{
2
  "Container": {
3
    "Name": "api",
4
    "Pod": "api-server-8874923",
5
    "Namespace": "api"
6
  },
7
  "CapabilitiesRequired": [
8
    {
9
      "Cap": "CAP_CHOWN",
10
      "Command": "tar"
11
    },
12
    {
13
      "Cap": "CAP_FOWNER",
14
      "Command": "tar"
15
    },
16
    {
17
      "Cap": "CAP_FSETID",
18
      "Command": "tra"
19
    }
20
  ]
21
}
Copied!
References
​https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/​
Deny Egress by default
1
apiVersion: networking.k8s.io/v1
2
kind: NetworkPolicy
3
metadata:
4
  name: default-deny
5
spec:
6
  podSelector:
7
    matchLabels:
8
      app: api-server
9
  policyTypes:
10
  - Egress
Copied!
​