K8S Security
Host Security
- Keep your K8S daemons / distro up to date.
- Ensure RBAC is utilized in a proper manner.
- Ensure serviceaccount secrets don’t get mounted automatically.
pod.spec.automountServiceAccountToken
- Run as non-root.
podsecuritypolicies.spec.runAsUser
podsecuritypolicies.spec.runAsGroup
- Mount root filesystems as read-only.
podsecuritypolicies.spec.readOnlyRootFilesystem
- Disallow privilege escalations.
podsecuritypolicies.spec.allowPrivilegeEscalation
- Make use of seccomp.
pod.spec.securityContext.seccompProfile
- Enforce SELinux.
podsecuritypolicies.spec.seLinux
pod.spec.securityContext.seLinuxOptions
- Make use of sandboxed pods:
Network Security
- Limit access to the API server / cluster using a firewall.
- Apply network policies.
- Ensure traffic is E2E encrypted (e.g. using a service mesh).
- Automate PKI management.
Application security
Threat detection