kubernetes-security-best-practice
kubernetes-security-best-practice copied to clipboard
[ideas] Security notes compiled from various sources (links included)
Here we go with my loose notes about Kubernetes security, there is some overlap with existing document.
Overview
-
RBAC
enabled, -
default-deny-ingress
NetworkPolicy, -
default-deny-egress
NetworkPolicy, - Helm security
Online resources
Checklists for online resources on security.
Security problems of Kops default deployments
- [ ] No RBAC by default
- [ ] installed rbac
- [ ] Kubelet does not enforce authorization
- [ ] egress blocked through NetworkPolicy,
- #3891,
- [ ] AWS Metadata API is reachable
- [ ]
kube2iam
installed
Improving the Default Security Posture Through Defense in Depth
Post-Container Compromise Issues
- [ ] Default Namespace Tokens Have Full Privileges
- [ ] RBAC enabled
- [ ] Unprotected Kubernetes Dashboard and Other kube-system Add-ons
- [ ] limited
kubernetes-dashboard
privileges - [ ] internal access blocked using
default-deny
- [ ] Kubelet Does Not Enforce Authorization (aka Kubelet-Exploit)
- [ ]
default-deny-egress
NetworkPolicy - [ ]
--anonymous-auth=false
- [ ]
default-deny-ingress
NetworkPolicy - [ ]
--authorization-mode=Webhook
- [ ]
- [ ] Unprotected Etcd/Calico-Etcd Endpoints
- [ ] TLS enabled through
kops
spec.etcdClusters[*].enableEtcdTLS
- [ ] Direct Access to Cloud Instance Metadata APIs
- [ ]
kube2iam
, -
NetworkPolicy
is not blocking access to cluster-external address,
- [ ] Permissive Metadata IAM Role Policies (AWS)
- not addressed
- Issue: Restrict IAM Roles permissions
Additional considerations
- [ ]
PodSecurityPolicy
- not addressed
- [ ]
NetworkPolicy
- [ ]
default-deny-ingress
NetworkPolicy - [ ]
default-deny-egress
NetworkPolicy
- [ ] Admission Controllers
- not addressed
7. Exposed /metrics APIs Allow for Pod/Svc Enumeration
Prevented using default-deny-ingress
.
Securing a Cluster
- [ ] Controlling access to the Kubernetes API
- [ ] Use Transport Level Security (TLS) for all API traffic
- kops
- [ ] API Authentication (above ServiceAccount)
- [ ] API Authorization
- Node + RBAC
- [ ] Use Transport Level Security (TLS) for all API traffic
- [ ] Controlling access to the Kubelet
- [ ] egress blocked,
- [ ] anonymous access blocked,
- [ ] authentication configured
- [ ] authorization configured
- [ ] Controlling the capabilities of a workload or user at runtime
- [ ] Limiting resource usage on a cluster
- [ ] Controlling what privileges containers run with
- [ ]
PodSecurityPolicy
- [ ] non-root users in applications
- [ ]
- [ ] Restricting network access
- [ ]
default-deny-ingress
NetworkPolicy - [ ]
default-deny-egress
NetworkPolicy
- [ ]
- [ ] Restricting cloud metadata API access
- [ ]
kube2iam
- [ ]
- [ ] Controlling which nodes pods may access
- [ ] Protecting cluster components from compromise
- [ ] Restrict access to etcd
- [ ] Enable audit logging
- [ ] Restrict access to alpha or beta features
- [ ] Rotate infrastructure credentials frequently
- [ ] Review third party integrations before enabling them
- [ ] Encrypt secrets at rest
- [ ] Receiving alerts for security updates and reporting vulnerabilities
Additional tasks
- [ ] lock-down
kube-system
namespace with NetworkPolicies - [ ] encrypted by default
StorageClass