

Discover more from Learn Pentesting like a Pro!
Apply this 10 rules to defend your Kubernetes cluster properly
Ten security recommendations to protect your Kubernetes deployment
The Kubernetes API, kubelet API and etcd are not exposed publicly on Internet
Default network policies within each namespace, selecting all pods, denying everything, are in place
If appropriate, a service mesh is used to encrypt all communications inside of the cluster
RBAC rights to
create
,update
,patch
,delete
workloads is only granted if necessaryAppropriate Pod Security Standards policy is applied for all namespaces and enforced
ConfigMaps are not used to hold confidential data
Encryption at rest is configured for the Secret API
Container images are configured to be run as unprivileged user
Container images are regularly scanned during creation and in deployment, and known vulnerable software is patched
The kube-controller-manager is running with
--use-service-account-credentials
enabled
References for further reading:
https://kubernetes.io/docs/concepts/security/rbac-good-practices/
https://kubernetes.io/docs/concepts/security/security-checklist/
If you want to pentest your Kubernetes cluster, those are two good tools to start with. Let me know any other else below in the comments.
Tools for security testing: