Jan 12, 2019

[k8s] Secure setup

K8S Security

  1. Keep API Server secure from accessing by outsider
  2. Beware of runaway POD
  3. Helm tiller pod
  4. Validate Images (image scan, e.g coreos/clair)


For 1:
Most cloud provider's set up is fine.


For 2:
  1. Make sure running POD's service account has limited access to the cluster.
  2. Make sure with every k8s services, connect with authentication.

For 3:
  1. Beware the privilege granted to tiller POD. Once it's compromised, the cluster
    is compromised. (Helm 3 will thus remove the use of tiller POD due to mainly the security issue)

Reference:
Creating a cluster network policy https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy
Access control overview https://cloud.google.com/kubernetes-engine/docs/concepts/access-control
Using PodSecurityPolicies https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies

Posted by at
Labels: , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)