K8s security - Episode 6: Security Cheat Sheet

Emmanuelle Demompion
1 min read

As this series of articles is coming to its end, you will find here a security cheat sheet with the simple purpose of listing best practices and advice to protect your production environment when running it on a Kubernetes cluster.

Focus personae

Security is everyone's concern

Choose Wisely

Cloud provider

  • What cloud provider are you choosing and why?
  • What is its revoke certificate strategy?
  • What default security option does it provide?

Third parties

  • Only use what you need.
  • List all third parties you use, what purpose they serve, and what versions are in use.
  • What level of security do they provide?
  • What technology are they based on?
  • Do they need extra external access? Are they sending data outside of your production environment?
  • Update to new software and library versions as much as possible.
  • Stay informed about new vulnerabilities and apply fixes as soon as they are available.
  • Define an update/upgrade policy and a cleaning policy (i.e., check if you have unnecessary dependencies regularly and remove them).

Design before code

The production infrastructure of your software will define the roles, users, and best practices to code with serenity.
Learn and be curious about vulnerabilities.
Know your priorities when it comes to security.
Who can access what, and should they be able to?

  • Define all your personae (internal and external), their needs, their interactions.
  • Associate your personae with each part of your application they need access to.
  • Split your environments and applications accordingly to the required accesses by your personae.
  • Make smart choices about what is not perfectly secured and at risk.
  • Be curious about vulnerabilities, and even learn to use them.
  • Protect your data.

"To start coding, all you need is a piece of paper and a pen."

Start fresh

  • Build a secured environment from the begining.
  • Set admission controllers for your Kubernetes cluster's (at least):
    • NamespaceLifeCycle
    • LimitRanger
    • ServiceAccount
    • DefaultStorageClass
    • ResourceQuota
  • Define Network security policies to isolate pods and namespaces within your cluster, and allow pod communication only if needed.

Take responsibility

A production environment is everyone's responsibility. Maybe some people can do more on the technical side when an issue appears, but not being able to code, fix, or configure does not mean you cannot help.

You are all in the same boat, don't let other people row when things get complicated.

Help, assist, understand, be constructive, and not critical.

Share on
Other articles about:

Recommended articles