Kubernetes security guidelines:
These include:
1. These include hardening the kubernetes deployment by allowing access only via published endpoints
2. Enumerating and securing each and every resource - whether a system or custom resource and with role based access control
3. Leveraging the auditing framework available from the container engine with or without additional auditing enhancement products.
4. Descriptive logging from each and every system component including event generation and their collection via Daemonsets
5. Securing the storage and mounted persistent volumen claims with read only policies so that secrets are not divulged
6. Securing containers to run as non-root so that the code does not get escalated privilege to run
7. Using all linux capabilities as permission sets for code to run in the containers so that there is no undetected or uncontrolled access to the host
8. Secuing all external and internal connectivity with the help of proxies and tls for external facing connections.
9. Using service accounts specific to applications so that there is a containment and isolation of privilege with which applications run.
10. Securing fine grained permissions on individual operations and access of resources so thatt there is no unauthorized access
11. Setting up monitoring and alerting based on audit events so that the all intrusions and anomalies in the system can get detected, notified and mitigated.
These include:
1. These include hardening the kubernetes deployment by allowing access only via published endpoints
2. Enumerating and securing each and every resource - whether a system or custom resource and with role based access control
3. Leveraging the auditing framework available from the container engine with or without additional auditing enhancement products.
4. Descriptive logging from each and every system component including event generation and their collection via Daemonsets
5. Securing the storage and mounted persistent volumen claims with read only policies so that secrets are not divulged
6. Securing containers to run as non-root so that the code does not get escalated privilege to run
7. Using all linux capabilities as permission sets for code to run in the containers so that there is no undetected or uncontrolled access to the host
8. Secuing all external and internal connectivity with the help of proxies and tls for external facing connections.
9. Using service accounts specific to applications so that there is a containment and isolation of privilege with which applications run.
10. Securing fine grained permissions on individual operations and access of resources so thatt there is no unauthorized access
11. Setting up monitoring and alerting based on audit events so that the all intrusions and anomalies in the system can get detected, notified and mitigated.
No comments:
Post a Comment