DevOps Buzz
Search…
Bash / Shell
Bitbucket
Distros
Elasticsearch
General
Guidelines / Standards
microk8s
Prometheus
RabbitMQ
VirtualBox
Security
K8s security tips

General overview

Best practices

Upgrade

Make sure you are using the latest K8s and ETCD versions.

Block ports

Block K8s ports 10250 and 10255

Read-only file systems

securityContext:
readOnlyRootFilesystem: true
volumes:
- emptyDir: {}
name: varlog # Creates RAM based empty-dir
Use https://docs.docker.com/engine/reference/commandline/diff/ to inspect changes to files or directories on a container’s filesystem.

Linux capabilities

Split root superpowers into a series of capabilities, such as:
  • CAP_FOWNER (used by chmod)
  • CAP_CHOWN (used by chown)
  • CAP_NET_RAW (used by ping)
Example 01.
securityContext:
capabilities:
drop:
- all
Example 02.
{
"Container": {
"Name": "api",
"Pod": "api-server-8874923",
"Namespace": "api"
},
"CapabilitiesRequired": [
{
"Cap": "CAP_CHOWN",
"Command": "tar"
},
{
"Cap": "CAP_FOWNER",
"Command": "tar"
},
{
"Cap": "CAP_FSETID",
"Command": "tra"
}
]
}

References

Deny Egress by default

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Egress

Copy link
Outline
General overview
Best practices
Upgrade
Block ports
Read-only file systems
Linux capabilities
Deny Egress by default