Ten security recommendations to protect your Kubernetes deployment

1. The Kubernetes API, kubelet API and etcd are not exposed publicly on Internet

2. Default network policies within each namespace, selecting all pods, denying everything, are in place

3. If appropriate, a service mesh is used to encrypt all communications inside of the cluster

4. RBAC rights to create, update, patch, delete workloads is only granted if necessary

5. Appropriate Pod Security Standards policy is applied for all namespaces and enforced

6. ConfigMaps are not used to hold confidential data

7. Encryption at rest is configured for the Secret API

8. Container images are configured to be run as unprivileged user

9. Container images are regularly scanned during creation and in deployment, and known vulnerable software is patched

10. The kube-controller-manager is running with --use-service-account-credentials enabled

References for further reading:

• https://kubernetes.io/docs/concepts/security/rbac-good-practices/

• https://kubernetes.io/docs/tutorials/security/

• https://kubernetes.io/docs/concepts/security/security-checklist/

If you want to pentest your Kubernetes cluster, those are two good tools to start with. Let me know any other else below in the comments.

Tools for security testing:

• https://github.com/aquasecurity/kube-hunter

• https://github.com/kubescape/kubescape