K8s security - Episode 6: Security Cheat Sheet

K8s security - Episode 6: Security Cheat Sheet Deploy • Emmanuelle Demompion • 09/03/21 • 1 min read

As this series of articles is coming to its end, you will find here a security cheat sheet with the simple purpose of listing best practices and advice to protect your production environment when running it on a Kubernetes cluster.

Focus personae

Security is everyone's concern

Choose Wisely

Cloud provider

What cloud provider are you choosing and why?

What is its revoke certificate strategy?

What default security option does it provide?

Third parties

Only use what you need.

List all third parties you use, what purpose they serve, and what versions are in use.

What level of security do they provide?

What technology are they based on?

Do they need extra external access? Are they sending data outside of your production environment?

Update to new software and library versions as much as possible.

Stay informed about new vulnerabilities and apply fixes as soon as they are available.

Define an update/upgrade policy and a cleaning policy (i.e., check if you have unnecessary dependencies regularly and remove them).

Design before code

The production infrastructure of your software will define the roles, users, and best practices to code with serenity.

Learn and be curious about vulnerabilities.

Know your priorities when it comes to security.

Who can access what, and should they be able to?

Define all your personae (internal and external), their needs, their interactions.

Associate your personae with each part of your application they need access to.

Split your environments and applications accordingly to the required accesses by your personae.

Make smart choices about what is not perfectly secured and at risk.

Be curious about vulnerabilities, and even learn to use them.

Protect your data.

"To start coding, all you need is a piece of paper and a pen."

Start fresh

Build a secured environment from the begining.

Set admission controllers for your Kubernetes cluster's (at least):

NamespaceLifeCycle

LimitRanger

ServiceAccount

DefaultStorageClass

ResourceQuota

Define Network security policies to isolate pods and namespaces within your cluster, and allow pod communication only if needed.

Take responsibility

A production environment is everyone's responsibility . Maybe some people can do more on the technical side when an issue appears, but not being able to code, fix, or configure does not mean you cannot help .

You are all in the same boat, don't let other people row when things get complicated.

Help, assist, understand, be constructive, and not critical.

Recommended articles

K8s security - Episode 6: Security Cheat Sheet You will find here a security cheat sheet with the simple purpose of listing best practices and advice to protect your production environment when running it on a Kubernetes cluster.

Deploy • Emmanuelle Demompion • 09/03/21 • 1 min read

Tags list. Click to filter. Search by tag Kubernetes Search by tag Security

K8s security - Episode 5: Lock your data We detailed some of the main security issues that are found in software, and it is no surprise that information leakage is one of the most frequent security flaws.

Deploy • Emmanuelle Demompion • 12/05/21 • 7 min read

Tags list. Click to filter. Search by tag Kubernetes Search by tag Security

K8s security - Episode 4: Managing third parties Along with user accesses, you also need to control what is being authorized by the services you did not create yourself, and that you depend on: third parties.

Deploy • Emmanuelle Demompion • 09/03/21 • 7 min read

Tags list. Click to filter. Search by tag Kubernetes, Security