sig-security Kubernetes Hardening Guide

trafficstars

What would you like to be added

As part of SIG-Security-Docs, we've been discussing the creation of a hardening guide for Kubernetes. We've got an initial document for the guide's creation here https://docs.google.com/document/d/1teb42X_c5_k8PNOSEEEbVnEr9aVAwWJXezBuf5fdmZU/edit

Why is this needed

The goal of the hardening guide is to provide guidance to cluster operators about how they can improve the security of their clusters. This will be done by discussing the major areas of security relating to a Kubernetes cluster, looking at the options available for hardening and the trade-offs inherent in them. In contrast to existing 3rd party documentation in this area (the CIS benchmark) which is a prescriptive audit style document, this guide should provide a more discursive approach.

** Table of Areas**

Section	Assignee	PR(s)
Threat Model	@cailynse
Control Plane Configuration
API Server Configuration
Scheduler Configuration	@AnshumanTripathi
Controller Manager Configuration
File Permissions
Worker Node Configuration
PKI Management
Cluster Authentication	@raesene
Authorization	@bjornsen @vinayakankugoyal
Workload Security Configuration
Network Policy Configuration	@cailynse
Resource Limits
Add-On Configuration

cc @savitharaghunathan @sftim

Apr 12 '21 08:04 raesene

/sig security

Apr 12 '21 08:04 sftim

/triage accepted

Apr 12 '21 08:04 sftim

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

Jul 11 '21 09:07 fejta-bot

/remove-lifecycle stale

Jul 15 '21 12:07 savitharaghunathan

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Oct 13 '21 13:10 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

Nov 12 '21 14:11 k8s-triage-robot

/remove-lifecycle rotten

Nov 12 '21 16:11 savitharaghunathan

/transfer sig-security

Jan 06 '22 18:01 savitharaghunathan

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Apr 06 '22 19:04 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

May 06 '22 19:05 k8s-triage-robot

/remove-lifecycle rotten

Hope that's OK

May 06 '22 19:05 sftim

I'd be really interested in helping with this one!

Jun 02 '22 16:06 cailyn-codes

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Aug 31 '22 16:08 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

Sep 30 '22 17:09 k8s-triage-robot

/remove-lifecycle rotten

@savitharaghunathan - is this something we could work on in the next cycle with SIG Security Docs?

Oct 05 '22 13:10 cailyn-codes

/assign

Oct 05 '22 13:10 cailyn-codes

I'm interested in helping, even if just to help review and learn.

Oct 20 '22 16:10 ericsmalling

Awesome! @ericsmalling feel free to pick up a section! I've just been researching and trying to fill in the TODOs from the top down!

Oct 24 '22 15:10 cailyn-codes

Threat Modelling PR: https://github.com/kubernetes/website/pull/39087

I'll also take Network Policy Configuration, please and thank you!

Jan 24 '23 16:01 cailyn-codes

I'm interested in Authorization.

Jan 30 '23 19:01 bjornsen

1st Draft for the Authentication section is open for comment on Hackmd https://hackmd.io/kxo4SRN3T3ipJHca2JNPTg

Jan 31 '23 07:01 raesene

@bjornsen cool! I've added that assignment to the table at the top.

Jan 31 '23 07:01 raesene

@bjornsen and me are going to be collaborating on Authorization.

Jan 31 '23 18:01 vinayakankugoyal

This might be of interest to the group here: https://github.com/cncf/tag-security/issues/1054

Apr 06 '23 01:04 PushkarJ

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Jul 05 '23 01:07 k8s-triage-robot

/remove-lifecycle stale

Jul 05 '23 11:07 savitharaghunathan

Hey all, so I've done some more fix-ups on the authentication section (https://hackmd.io/kxo4SRN3T3ipJHca2JNPTg?both) seems like it's probably in a decent enough spot to open a PR?

I know we had a quick chat about where in the docs site these pages should go, but I'm not sure we came to any firm conclusion.

Jul 30 '23 07:07 raesene

I think concepts -> security is a good home for the hardening guide. If needed we can create a folder and add items there. eg concepts -> security -> hardening guide -> auth mechanisms. @reylejano WDYT? should we bring this up in a sig-docs meeting or create a draft PR to get feedback on the content as well as the location?

Aug 03 '23 18:08 savitharaghunathan

I think concepts -> security is a good home for the hardening guide

:+1:

A guide like this might then link to specific task pages, eg “Enable audit logging” “Configure KMS encryption for API objects”.

Aug 03 '23 19:08 sftim

I think concepts -> security is a good home for the hardening guide. If needed we can create a folder and add items there. eg concepts -> security -> hardening guide -> auth mechanisms. @reylejano WDYT? should we bring this up in a sig-docs meeting or create a draft PR to get feedback on the content as well as the location?

I think concepts -> security -> hardening guide works which translates to/docs/concepts/security/hardening-guide

Aug 03 '23 19:08 reylejano

sig-security sig-security copied to clipboard

Kubernetes Hardening Guide

sig-security
sig-security copied to clipboard