Best Practices
High Level Documentation¶
Operational Guides¶
| Link | Notes |
|---|---|
| Kubernetes Security Checklist | A baseline checklist for ensuring security in Kubernetes clusters |
| Securing a Kubernetes Cluster | This document covers topics related to protecting a cluster from accidental or malicious access and provides recommendations on overall security |
| Securing Kubernetes Clusters by Eliminating Risky Permissions | How permissions are built in Kubernetes with role-based access control (RBAC) and why you should use it carefully |
| Plain Kubernetes Secrets are fine |
|
| Kubernetes Hardening Tutorial | |
| Kubernetes Scheduling And Secure Design |
|
Multitenancy¶
| Link | Notes |
|---|---|
| Kubernetes Multi-tenancy | Official docs: an overview of available configuration options and best practices for cluster multi-tenancy |
| Ramblings from Jessie: Hard Multi-Tenancy in Kubernetes | A design proposal for how to do hard multi-tenancy in Kubernetes |
Networking¶
| Link | Notes |
|---|---|
| ⭐️ The Kubernetes Networking Guide | An overview of various Kubernetes networking components with a specific focus on exactly how they implement the required functionality |
| Understanding networking in Kubernetes | An in-depth analysis of Kubernetes networking, including container-to-container, pod-to-pod, pod-to-service, ingress, and egress communication |
| Cilium Editor |
|
| Controlling outbound traffic from Kubernetes | How Monzo locked down egress traffic using EnvoyProxy, CoreDNS and an operator |
| Internet Egress Filtering of Services at Lyft | How the Security team of Lyft achieved egress network traffic filtering for all their services |
| Go directly to namespace jail: Locking down network traffic between Kubernetes namespaces | How do you restrict network traffic between namespaces in a Kubernetes cluster? This guide shows how to prevent traffic between namespaces using Linkerd's traffic policies |
| Square - Pod Security Policies | How to do a full deployment of Pod Security Policies with everything locked down and how to grant exceptions |
| How To Enforce Kubernetes Network Security Policies Using OPA | Deep-dive on how to enforce systematic Kubernetes network security policies with Open Policy Agent |
Istio¶
| Link | Notes |
|---|---|
| Learn Istio – How to Manage, Monitor, and Secure Microservices | A thorough introduction to Istio, showing what it does under the hood |
| Service meshes: an in-depth introduction | An overview of service meshes that clarifies the benefits they offer as well as the extra complexity |
| Guide to Istio’s Authentication and Authorization Policies | Learn how Istio's authentication and authorization policies enhance security in microservices |
| How to monitor Istio | How to deploy and monitor Istio in a Kubernetes cluster to connect, secure, and configure advanced routing for microservices |
| Secure Workload Identity with SPIRE and OIDC: A Guide for Kubernetes and Istio Users | This blog is for engineering teams responsible for defining and implementing a workload identity platform and access controls rooted in Zero Trust principles to mitigate the risks from compromised services |
Other¶
| Link | Notes |
|---|---|
| The Principle of Ephemerality | Everything that can be ephemeral, should be ephemeral |
| Official CVE Feed | A community maintained list of official CVEs announced by the Kubernetes Security Response Committee |