Skip to content

Best Practices

High Level Documentation

Link Notes
NSA's Kubernetes Hardening Guidance
  • Describes the security challenges associated with setting up and securing a Kubernetes cluster
  • Includes strategies to avoid common misconfigurations and implement recommended hardening measures
PCI Guidance for Containers and Container Orchestration Tools
SOC 2 compliance for containers and Kubernetes security Useful tips to implement SOC 2 compliance for containers and Kubernetes
OWASP Kubernetes Top 10
  • Prioritized list of these risks backed by data collected from organizations varying in maturity and complexity
  • See also Sysdig' summary

Operational Guides

Link Notes
Kubernetes Security Checklist A baseline checklist for ensuring security in Kubernetes clusters
Securing a Kubernetes Cluster This document covers topics related to protecting a cluster from accidental or malicious access and provides recommendations on overall security
Securing Kubernetes Clusters by Eliminating Risky Permissions How permissions are built in Kubernetes with role-based access control (RBAC) and why you should use it carefully
Plain Kubernetes Secrets are fine
  • By creating a threat model that includes the kinds of attacks you want to mitigate, it's clear that managing secrets safely is extremely difficult
  • The problem is NOT that secrets are just base64 encoded; that was never meant as a security feature. And the problem cannot be simply waved away by software/cloud providers and their flashy documentation
Kubernetes Hardening Tutorial
Kubernetes Scheduling And Secure Design
  • Having a security-oriented scheduling strategy can help to reduce the overall risk of workload compromise in a comprehensive security design
  • If critical workloads are separated at the scheduling decision, the blast radius of a compromised pod is reduced

Multitenancy

Link Notes
Kubernetes Multi-tenancy Official docs: an overview of available configuration options and best practices for cluster multi-tenancy
Ramblings from Jessie: Hard Multi-Tenancy in Kubernetes A design proposal for how to do hard multi-tenancy in Kubernetes

Networking

Link Notes
⭐️ The Kubernetes Networking Guide An overview of various Kubernetes networking components with a specific focus on exactly how they implement the required functionality
Understanding networking in Kubernetes An in-depth analysis of Kubernetes networking, including container-to-container, pod-to-pod, pod-to-service, ingress, and egress communication
Cilium Editor
  • Tutorial that will teach you how to create a network policy using the Cilium Editor
  • It explains basic network policy concepts and guides you through the steps needed to achieve the desired least-privilege security policy
Controlling outbound traffic from Kubernetes How Monzo locked down egress traffic using EnvoyProxy, CoreDNS and an operator
Internet Egress Filtering of Services at Lyft How the Security team of Lyft achieved egress network traffic filtering for all their services
Go directly to namespace jail: Locking down network traffic between Kubernetes namespaces How do you restrict network traffic between namespaces in a Kubernetes cluster? This guide shows how to prevent traffic between namespaces using Linkerd's traffic policies
Square - Pod Security Policies How to do a full deployment of Pod Security Policies with everything locked down and how to grant exceptions
How To Enforce Kubernetes Network Security Policies Using OPA Deep-dive on how to enforce systematic Kubernetes network security policies with Open Policy Agent

Istio

Link Notes
Learn Istio – How to Manage, Monitor, and Secure Microservices A thorough introduction to Istio, showing what it does under the hood
Service meshes: an in-depth introduction An overview of service meshes that clarifies the benefits they offer as well as the extra complexity
Guide to Istio’s Authentication and Authorization Policies Learn how Istio's authentication and authorization policies enhance security in microservices
How to monitor Istio How to deploy and monitor Istio in a Kubernetes cluster to connect, secure, and configure advanced routing for microservices
Secure Workload Identity with SPIRE and OIDC: A Guide for Kubernetes and Istio Users This blog is for engineering teams responsible for defining and implementing a workload identity platform and access controls rooted in Zero Trust principles to mitigate the risks from compromised services

Other

Link Notes
The Principle of Ephemerality Everything that can be ephemeral, should be ephemeral
Official CVE Feed A community maintained list of official CVEs announced by the Kubernetes Security Response Committee