I'm the only DevOps engineer at my company, and I've been tasked with setting up infrastructure for a new project using Kubernetes. I'm pretty new to this technology and have been diving into Kubernetes security lately, realizing that it's quite expansive. My company hasn't given me specific guidelines for security, and the higher-ups aren't very tech-savvy. We're not a government organization, so I don't think I need an extremely high level of security complexity. I'm focused on foundational security practices, as we're using EKS. I plan to ensure that pods aren't running as root and that capabilities are locked down. I'm looking for advice on how deep I should go with security measures. For instance, I'm wondering if I really need to implement things like AppArmor and gVisor right now.
5 Answers
At the very least, restrict access between namespaces unless it's necessary. Enforce no root containers and maintain good hygiene with container permissions. Using a proper ingress controller is essential, and make sure to scan your images at the registry level. Utilize specific service accounts with the required permissions too.
The most important thing is to use Kyverno to enforce non-privileged pods. This ensures that you keep a tight grip on security right from the start.
Start relying on pod security standards. You might want to use tools like Kyverno or Gatekeeper to audit your workloads against standard baseline and restricted profiles. If your workloads meet those requirements, then you can switch to enforcement mode, but do it on a namespace-by-namespace basis, leaving some like kube-system on a privileged profile.
Stick to the principle of least privilege. The golden rule is that no one should have direct privileges to manipulate Kubernetes resources. All changes should ideally be pulled in through tools like Flux or Argo.
Do developers really need access to Lens for debugging, or can that work be entirely done through Argo?
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures