Security

K8s security tips

General overview

Best practices

Upgrade

Make sure you are using the latest K8s and ETCD versions.

Block ports

Block K8s ports 10250 and 10255

Read-only file systems

securityContext:
  readOnlyRootFilesystem: true
volumes:
  - emptyDir: {}
  name: varlog # Creates RAM based empty-dir

Use https://docs.docker.com/engine/reference/commandline/diff/ to inspect changes to files or directories on a container’s filesystem.

Linux capabilities

Split root superpowers into a series of capabilities, such as:

CAP_FOWNER (used by chmod)
CAP_CHOWN (used by chown)
CAP_NET_RAW (used by ping)

Example 01.

securityContext:
      capabilities:
        drop:
          - all

Example 02.

{
  "Container": {
    "Name": "api",
    "Pod": "api-server-8874923",
    "Namespace": "api"
  },
  "CapabilitiesRequired": [
    {
      "Cap": "CAP_CHOWN",
      "Command": "tar"
    },
    {
      "Cap": "CAP_FOWNER",
      "Command": "tar"
    },
    {
      "Cap": "CAP_FSETID",
      "Command": "tra"
    }
  ]
}

References

https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/

Deny Egress by default

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector:
    matchLabels:
      app: api-server
  policyTypes:
  - Egress

PreviousOperators NextVolumes

Last updated 4 years ago