Contents
Kubernetes Hardening Guide ............................................................................................. i
Executive summary ................................................................................................................. iii
Contents .................................................................................................................................... v
Introduction ............................................................................................................................... 1
Recommendations ................................................................................................................... 2
Architectural overview ............................................................................................................. 4
Threat model ............................................................................................................................. 6
Kubernetes Pod security .......................................................................................................... 8
“Non-root” containers and “rootless” container engines ........................................................... 9
Immutable container file systems ........................................................................................... 10
Building secure container images .......................................................................................... 10
Pod security enforcement ...................................................................................................... 12
Protecting Pod service account tokens .................................................................................. 12
Hardening container environments ........................................................................................ 13
Network separation and hardening ....................................................................................... 14
Namespaces ......................................................................................................................... 14
Network policies .................................................................................................................... 15
Resource policies .................................................................................................................. 17
Control plane hardening ........................................................................................................ 18
Etcd ................................................................................................................................... 19
Kubeconfig Files ................................................................................................................ 19
Worker node segmentation .................................................................................................... 19
Encryption ............................................................................................................................. 20
Secrets .................................................................................................................................. 20
Protecting sensitive cloud infrastructure ................................................................................ 21
Authentication and authorization .......................................................................................... 22
Authentication ........................................................................................................................ 22
Role-based access control .................................................................................................... 23
Audit Logging and Threat Detection ..................................................................................... 27
Logging ................................................................................................................................. 27
Kubernetes native audit logging configuration .................................................................... 29
Worker node and container logging ................................................................................... 30
Seccomp: audit mode ........................................................................................................ 32
Syslog ................................................................................................................................ 32
SIEM platforms .................................................................................................................. 33
Service meshes ................................................................................................................. 34
Fault tolerance ................................................................................................................... 35
Threat Detection .................................................................................................................... 36
Alerting .............................................................................................................................. 37
Tools ..................................................................................................................................... 38
Upgrading and application security practices ...................................................................... 40
Works cited ............................................................................................................................. 41