# Security

## General overview

![](https://1923299483-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LVfLS9KLUfusOjV0FX_%2F-LwEAXiPlJcyg3B_eH2a%2F-LwEEQXkyjpvuhRIvfTb%2Fimage.png?alt=media\&token=d436fdc7-6d04-4da2-9fdd-508966f4acd9)

## Best practices

### Upgrade

Make sure you are using the latest K8s and ETCD versions.

### Block ports

Block K8s ports 10250 and 10255

### Read-only file systems

```
securityContext:
  readOnlyRootFilesystem: true
volumes:
  - emptyDir: {}
  name: varlog # Creates RAM based empty-dir
```

Use <https://docs.docker.com/engine/reference/commandline/diff/> to inspect changes to files or directories on a container’s filesystem.

### Linux capabilities

Split root superpowers into a series of capabilities, such as:

* CAP\_FOWNER (used by chmod)
* CAP\_CHOWN (used by chown)
* CAP\_NET\_RAW (used by ping)

Example 01.

```
securityContext:
      capabilities:
        drop:
          - all
```

Example 02.

```
{
  "Container": {
    "Name": "api",
    "Pod": "api-server-8874923",
    "Namespace": "api"
  },
  "CapabilitiesRequired": [
    {
      "Cap": "CAP_CHOWN",
      "Command": "tar"
    },
    {
      "Cap": "CAP_FOWNER",
      "Command": "tar"
    },
    {
      "Cap": "CAP_FSETID",
      "Command": "tra"
    }
  ]
}
```

#### References

<https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/>

### Deny Egress by default

```
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector:
    matchLabels:
      app: api-server
  policyTypes:
  - Egress
```

##