Security

K8s security tips

PreviousOperators NextVolumes

Last updated 5 years ago

Security

K8s security tips

General overview

Best practices

Upgrade

Make sure you are using the latest K8s and ETCD versions.

Block ports

Block K8s ports 10250 and 10255

Read-only file systems

securityContext:
  readOnlyRootFilesystem: true
volumes:
  - emptyDir: {}
  name: varlog # Creates RAM based empty-dir

Linux capabilities

Split root superpowers into a series of capabilities, such as:

CAP_FOWNER (used by chmod)
CAP_CHOWN (used by chown)
CAP_NET_RAW (used by ping)

Example 01.

securityContext:
      capabilities:
        drop:
          - all

Example 02.

{
  "Container": {
    "Name": "api",
    "Pod": "api-server-8874923",
    "Namespace": "api"
  },
  "CapabilitiesRequired": [
    {
      "Cap": "CAP_CHOWN",
      "Command": "tar"
    },
    {
      "Cap": "CAP_FOWNER",
      "Command": "tar"
    },
    {
      "Cap": "CAP_FSETID",
      "Command": "tra"
    }
  ]
}

References

Deny Egress by default

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector:
    matchLabels:
      app: api-server
  policyTypes:
  - Egress

PreviousOperators NextVolumes

Last updated 5 years ago