Comment on page
Security
K8s security tips
Make sure you are using the latest K8s and ETCD versions.
Block K8s ports 10250 and 10255
securityContext:
readOnlyRootFilesystem: true
volumes:
- emptyDir: {}
name: varlog # Creates RAM based empty-dir
Use https://docs.docker.com/engine/reference/commandline/diff/ to inspect changes to files or directories on a container’s filesystem.
Split root superpowers into a series of capabilities, such as:
- CAP_FOWNER (used by chmod)
- CAP_CHOWN (used by chown)
- CAP_NET_RAW (used by ping)
Example 01.
securityContext:
capabilities:
drop:
- all
Example 02.
{
"Container": {
"Name": "api",
"Pod": "api-server-8874923",
"Namespace": "api"
},
"CapabilitiesRequired": [
{
"Cap": "CAP_CHOWN",
"Command": "tar"
},
{
"Cap": "CAP_FOWNER",
"Command": "tar"
},
{
"Cap": "CAP_FSETID",
"Command": "tra"
}
]
}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Egress
Last modified 3yr ago