K8s security - Episode 6: Security Cheat Sheet
You will find here a security cheat sheet with the simple purpose of listing best practices and advice to protect your production environment when running it on a Kubernetes cluster.
K8s security - Episode 6: Security Cheat Sheet
As this series of articles is coming to its end, you will find here a security cheat sheet with the simple purpose of listing best practices and advice to protect your production environment when running it on a Kubernetes cluster.
Security is everyone's concern
Choose Wisely
Cloud provider
- What cloud provider are you choosing and why?
- What is its revoke certificate strategy?
- What default security option does it provide?
Third parties
- Only use what you need.
- List all third parties you use, what purpose they serve, and what versions are in use.
- What level of security do they provide?
- What technology are they based on?
- Do they need extra external access? Are they sending data outside of your production environment?
- Update to new software and library versions as much as possible.
- Stay informed about new vulnerabilities and apply fixes as soon as they are available.
- Define an update/upgrade policy and a cleaning policy (i.e., check if you have unnecessary dependencies regularly and remove them).
Design before code
The production infrastructure of your software will define the roles, users, and best practices to code with serenity.
Learn and be curious about vulnerabilities.
Know your priorities when it comes to security.
Who can access what, and should they be able to?
- Define all your personae (internal and external), their needs, their interactions.
- Associate your personae with each part of your application they need access to.
- Split your environments and applications accordingly to the required accesses by your personae.
- Make smart choices about what is not perfectly secured and at risk.
- Be curious about vulnerabilities, and even learn to use them.
- Protect your data.
"To start coding, all you need is a piece of paper and a pen."
Start fresh
- Build a secured environment from the begining.
- Set
admission controllersfor your Kubernetes cluster's (at least):NamespaceLifeCycleLimitRangerServiceAccountDefaultStorageClassResourceQuota
- Define
Network security policiesto isolatepodsandnamespaceswithin your cluster, and allowpodcommunication only if needed.
Take responsibility
A production environment is everyone's responsibility. Maybe some people can do more on the technical side when an issue appears, but not being able to code, fix, or configure does not mean you cannot help.
You are all in the same boat, don't let other people row when things get complicated.
Help, assist, understand, be constructive, and not critical.
Recommended articles
K8s security - Episode 5: Lock your data
We detailed some of the main security issues that are found in software, and it is no surprise that information leakage is one of the most frequent security flaws.
K8s security - Episode 4: Managing third parties
Along with user accesses, you also need to control what is being authorized by the services you did not create yourself, and that you depend on: third parties.