Components Security |
- API Server
authorization-mode=Node,RBAC - Ensure all services are protected by TLS
- Ensure kubelet protects its API via
authorization-mode=Webhook - Ensure the kube-dashboard uses a restrictive RBAC role policy and v1.7+
- Closely monitor all RBAC policy failures
- Remove default ServiceAccount permissions
|
Network Security |
- Filter access to the cloud provider metadata APIs/URL, and Limit IAM permissions
- Use a CNI network plugin that filters ingress/egress pod network traffic
- Properly label all pods
- Isolate all workloads from each other
- Prevent workloads from egressing to the Internet, the Pod IP space, the Node IP subnets, and/or other internal networks
- Establish network ingress policies
- Restrict all traffic coming into the kube-system namespace except kube-dns
- Consider a Service Mesh
|
Workload Containment and Security |
- Namespaces per tenant
- Default network "deny" inbound on all namespaces
- Assign CPU/RAM limits to all containers
- Set
automountServiceAccountToken: false on pods where possible - Use a PodSecurityPolicy to enforce container restrictions and to protect the node
- Implement container-aware malicious activity / behavioral detection
|
Platform reliability and availability plan |
- Cover
- Logging
- Monitoring
- Alerting
- Capacity Planning
- Auditing
- Each of these points needs to be addressed in two contexts
- The overall platform
- Applications running on the platform
- For the applications the capabilities need to be made available
- Release new apps/re-stage
- Access to running apps
- Synthetic monitoring
|
Misc Security |
- Collect logs from all containers, especially the RBAC access/deny logs
- Encrypt the contents of etcd, and run etcd on dedicated nodes
- Separate Cloud accounts/VPCs/projects/resource groups
- Separate clusters for dev/test and production environments
- Separate node pools for different tenants
|
Operational |
- Establish onboarding process
- User documentation (Onboarding, Operating, Container image pipeline, Finding images to use)
- Determine who is K8S cluster admin
|