DevOps Buzz
Search…
Initial page
About me
Ansible
Cheat Sheet
Dynamic inventory
AKS
Cheat Sheet
Autoscale
Backup
Dashboard
Ingress
Node management
News
Persistent Volumes
Arch Linux
Docker
Install
Network
VirtualBox guest
Azure
API
CLI/Powershell
DevOps
Application Gateway
Tools
Sops
AWS
Cheat Sheet
Tools
Cognito with Amplify and React
Bash / Shell
Cheat Sheet
Tools
Bitbucket
Cheat Sheet
CSS
Cheat Sheet
Distros
Manjaro
Docker
Cheat Sheet
ELK
Ubuntu NoVNC
Tools
Known errors and solutions
Elasticsearch
Cheat Sheet
Tools
ELK
Cheat Sheet
emacs
Cheat sheet
Gatekeeper (OPA)
Cheat Sheet
Developer Quick Start
GCP
Cheat Sheet
General
Tools
News
Git
Cheat Sheet
Tools
Golang
Cheat Sheet
Guidelines / Standards
Cheat Sheet
i3wm
Cheat Sheet
Ipsec
Cheat sheet
Istio
Cheat Sheet
Kind
Cheat Sheet
Kops
Cheat Sheet
Kubeadm
Cheat Sheet
Change serviceSubnet CIDR
Setup cluster
Multi master
Known errors and solutions
Kubernetes
Kubectl Cheat Sheet
etcd Cheat Sheet
Tools
News
Deployments
Dashboard
ELK
Helm
Ingress
logz.io
Minikube
Monitoring
Node Management
Operators
Security
Volumes
Networking
kube-controller-manager
Known errors and solutions
Lumen
Cheat Sheet
MACOS
Cheat Sheet
Qemu
Zsh
microk8s
Cheat Sheet
MongoDB
Cheat Sheet
Tools
MySQL
Cheat Sheet
Network
Tools
WDS - Wireless Distribution System
Expose server under NAT
nvim
Cheat Sheet
Openvpn
OpenVPN server on Ubuntu 18.06
Stunnel
PHP
Composer
Prometheus
Tools
Python
Cheat Sheet
Pydantic
Tools / Modules
Virtualenv
RabbitMQ
Cheat Sheet
ReactJS
Fixes
For beginners
Ruby
Cheat Sheet
Rails
rvm
Rundeck
Cheat Sheet
Rust
Cheat Sheet
Squid
Setup server
Expose NAT server
SRE
Cheat Sheet
SSH
Passwordless auth with RSA key
Reverse tunnel
Cheat Sheet
SSL
Cheat Sheet
certbot
STACK SETUP
Using EKS and Gitlab CI to deploy applications
Terraform
Cheat Sheet
Tools
Tmux
Cheat Sheet
Tor
Cheat Sheet
Ubuntu
Cheat Sheet
Vagrant
Cheat Sheet
VirtualBox
Cheat Sheet
Windows
Windows Docker
Fingerprint
SSH Client
Tools
VirtualBox
WSL
Powered By
GitBook
Security
K8s security tips
General overview
Best practices
Upgrade
Make sure you are using the latest K8s and ETCD versions.
Block ports
Block K8s ports 10250 and 10255
Read-only file systems
securityContext:
readOnlyRootFilesystem: true
volumes:
- emptyDir: {}
name: varlog # Creates RAM based empty-dir
Use
https://docs.docker.com/engine/reference/commandline/diff/
to inspect changes to files or directories on a container’s filesystem.
Linux capabilities
Split root superpowers into a series of capabilities, such as:
CAP_FOWNER (used by chmod)
CAP_CHOWN (used by chown)
CAP_NET_RAW (used by ping)
Example 01.
securityContext:
capabilities:
drop:
- all
Example 02.
{
"Container": {
"Name": "api",
"Pod": "api-server-8874923",
"Namespace": "api"
},
"CapabilitiesRequired": [
{
"Cap": "CAP_CHOWN",
"Command": "tar"
},
{
"Cap": "CAP_FOWNER",
"Command": "tar"
},
{
"Cap": "CAP_FSETID",
"Command": "tra"
}
]
}
References
​
https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/
​
Deny Egress by default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Egress
​
Kubernetes - Previous
Operators
Next - Kubernetes
Volumes
Last modified
2yr ago
Copy link
Outline
General overview
Best practices
Upgrade
Block ports
Read-only file systems
Linux capabilities
Deny Egress by default