DevOps Buzz
Search
⌃K

Security

K8s security tips

General overview

Best practices

Upgrade

Make sure you are using the latest K8s and ETCD versions.

Block ports

Block K8s ports 10250 and 10255

Read-only file systems

securityContext:
readOnlyRootFilesystem: true
volumes:
- emptyDir: {}
name: varlog # Creates RAM based empty-dir
Use https://docs.docker.com/engine/reference/commandline/diff/ to inspect changes to files or directories on a container’s filesystem.

Linux capabilities

Split root superpowers into a series of capabilities, such as:
  • CAP_FOWNER (used by chmod)
  • CAP_CHOWN (used by chown)
  • CAP_NET_RAW (used by ping)
Example 01.
securityContext:
capabilities:
drop:
- all
Example 02.
{
"Container": {
"Name": "api",
"Pod": "api-server-8874923",
"Namespace": "api"
},
"CapabilitiesRequired": [
{
"Cap": "CAP_CHOWN",
"Command": "tar"
},
{
"Cap": "CAP_FOWNER",
"Command": "tar"
},
{
"Cap": "CAP_FSETID",
"Command": "tra"
}
]
}

References

Deny Egress by default

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Egress