Kubernetes Tipps Hardening

PSA (Pod Security Admission)

Policies defined by namespace.
e.g. not allowed to run container as root.

Will complain/deny when creating such a pod with that container type

Möglichkeiten in Pods und Containern

# für die Pods
kubectl explain pod.spec.securityContext 
kubectl explain pod.spec.containers.securityContext

Example (seccomp / security context)

A. seccomp - profile
https://github.com/docker/docker/blob/master/profiles/seccomp/default.json

apiVersion: v1
kind: Pod
metadata:
  name: audit-pod
  labels:
    app: audit-pod
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profiles/audit.json

  containers:

  - name: test-container
    image: hashicorp/http-echo:0.2.3
    args:
    - "-text=just made some syscalls!"
    securityContext:
      allowPrivilegeEscalation: false

SecurityContext (auf Pod Ebene)

kubectl explain pod.spec.containers.securityContext

NetworkPolicy

# Firewall Kubernetes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tipps-hardening.md

tipps-hardening.md

Kubernetes Tipps Hardening

PSA (Pod Security Admission)

Möglichkeiten in Pods und Containern

Example (seccomp / security context)

SecurityContext (auf Pod Ebene)

NetworkPolicy

Files

tipps-hardening.md

Latest commit

History

tipps-hardening.md

File metadata and controls

Kubernetes Tipps Hardening

PSA (Pod Security Admission)

Möglichkeiten in Pods und Containern

Example (seccomp / security context)

SecurityContext (auf Pod Ebene)

NetworkPolicy