Security
K8s security tips
General overview

Best practices
Upgrade
Make sure you are using the latest K8s and ETCD versions.
Block ports
Block K8s ports 10250 and 10255
Read-only file systems
securityContext:
readOnlyRootFilesystem: true
volumes:
- emptyDir: {}
name: varlog # Creates RAM based empty-dir
Use https://docs.docker.com/engine/reference/commandline/diff/ to inspect changes to files or directories on a container’s filesystem.
Linux capabilities
Split root superpowers into a series of capabilities, such as:
CAP_FOWNER (used by chmod)
CAP_CHOWN (used by chown)
CAP_NET_RAW (used by ping)
Example 01.
securityContext:
capabilities:
drop:
- all
Example 02.
{
"Container": {
"Name": "api",
"Pod": "api-server-8874923",
"Namespace": "api"
},
"CapabilitiesRequired": [
{
"Cap": "CAP_CHOWN",
"Command": "tar"
},
{
"Cap": "CAP_FOWNER",
"Command": "tar"
},
{
"Cap": "CAP_FSETID",
"Command": "tra"
}
]
}
References
https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/
Deny Egress by default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Egress
Last updated