DevOps Buzz
Search…
Bash / Shell
Bitbucket
Distros
Elasticsearch
General
Guidelines / Standards
microk8s
Prometheus
RabbitMQ
VirtualBox
Security
K8s security tips

General overview

Best practices

Upgrade

Make sure you are using the latest K8s and ETCD versions.

Block ports

Block K8s ports 10250 and 10255

Read-only file systems

1
securityContext:
2
readOnlyRootFilesystem: true
3
volumes:
4
- emptyDir: {}
5
name: varlog # Creates RAM based empty-dir
Copied!
Use https://docs.docker.com/engine/reference/commandline/diff/ to inspect changes to files or directories on a container’s filesystem.

Linux capabilities

Split root superpowers into a series of capabilities, such as:
  • CAP_FOWNER (used by chmod)
  • CAP_CHOWN (used by chown)
  • CAP_NET_RAW (used by ping)
Example 01.
1
securityContext:
2
capabilities:
3
drop:
4
- all
Copied!
Example 02.
1
{
2
"Container": {
3
"Name": "api",
4
"Pod": "api-server-8874923",
5
"Namespace": "api"
6
},
7
"CapabilitiesRequired": [
8
{
9
"Cap": "CAP_CHOWN",
10
"Command": "tar"
11
},
12
{
13
"Cap": "CAP_FOWNER",
14
"Command": "tar"
15
},
16
{
17
"Cap": "CAP_FSETID",
18
"Command": "tra"
19
}
20
]
21
}
Copied!

References

Deny Egress by default

1
apiVersion: networking.k8s.io/v1
2
kind: NetworkPolicy
3
metadata:
4
name: default-deny
5
spec:
6
podSelector:
7
matchLabels:
8
app: api-server
9
policyTypes:
10
- Egress
Copied!