Learn Pentesting like a Pro!

Share this post

Apply this 10 rules to defend your Kubernetes cluster properly

pentesting.academy

Apply this 10 rules to defend your Kubernetes cluster properly

pentesting.academy
Feb 20
Share this post

Apply this 10 rules to defend your Kubernetes cluster properly

pentesting.academy
brown concrete palace surrounded by body of water during daytime
Photo by Richard Clark on Unsplash

Ten security recommendations to protect your Kubernetes deployment

  1. The Kubernetes API, kubelet API and etcd are not exposed publicly on Internet

  2. Default network policies within each namespace, selecting all pods, denying everything, are in place

  3. If appropriate, a service mesh is used to encrypt all communications inside of the cluster

  4. RBAC rights to create, update, patch, delete workloads is only granted if necessary

  5. Appropriate Pod Security Standards policy is applied for all namespaces and enforced

  6. ConfigMaps are not used to hold confidential data

  7. Encryption at rest is configured for the Secret API

  8. Container images are configured to be run as unprivileged user

  9. Container images are regularly scanned during creation and in deployment, and known vulnerable software is patched

  10. The kube-controller-manager is running with --use-service-account-credentials enabled

References for further reading:

  • https://kubernetes.io/docs/concepts/security/rbac-good-practices/

  • https://kubernetes.io/docs/tutorials/security/

  • https://kubernetes.io/docs/concepts/security/security-checklist/

If you want to pentest your Kubernetes cluster, those are two good tools to start with. Let me know any other else below in the comments.

Tools for security testing:

  • https://github.com/aquasecurity/kube-hunter

  • https://github.com/kubescape/kubescape

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.

Share this post

Apply this 10 rules to defend your Kubernetes cluster properly

pentesting.academy
Comments
TopNew

No posts

Ready for more?

© 2023 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing