- Building container images
- Running containers
- Authentication and authorization
- Communication
- Apps
- Securing the control plane
- References
Tooling:
- https://docs.docker.com/docker-cloud/builds/image-scan/
- https://github.com/coreos/clair
- https://www.open-scap.org/tools/
- https://www.aquasec.com/use-cases/continuous-image-assurance/
- https://neuvector.com/container-compliance-auditing-solutions/
- https://github.com/theupdateframework/notary
- https://github.com/in-toto
Further reading:
- Establishing Image Provenance and Security in Kubernetes
- Image Management & Mutability in Docker and Kubernetes
- Container security considerations in a Kubernetes deployment
- Building Container Images Securely on Kubernetes
- The OpenShift Build Process
- Introducing Grafeas: An open-source API to audit and govern your software supply chain
Tooling:
- https://github.com/aquasecurity/kube-bench
- https://github.com/docker/docker-bench-security
- https://sysdig.com/opensource/falco/
- https://kubesec.io/
- https://www.twistlock.com/
Further reading:
- Just say no to root (in containers)
- Exploring Container Mechanisms Through the Story of a Syscall (slides | video)
- Improving your Kubernetes Workload Security Container Isolation at Scale (Introducing gVisor) (slides | video)
Tooling:
- https://github.com/coreos/dex
- https://github.com/liggitt/audit2rbac
- https://github.com/heptio/authenticator
Further reading:
- Docs: Authentication, Authorization, Controlling Access to the Kubernetes API
- Kubernetes deep dive: API Server – part 1
- Certifik8s: All You Need to Know About Certificates in Kubernetes
- Kubernetes Auth and Access Control
- Effective RBAC
- Single Sign-On for Kubernetes: An Introduction
- Let's Encrypt, OAuth 2, and Kubernetes Ingress
Tooling:
- https://github.com/aporeto-inc/trireme-kubernetes
- https://github.com/jetstack/cert-manager/
- https://spiffe.io/
- https://www.openpolicyagent.org/
Further reading:
- Docs: Network policies
- How Kubernetes certificate authorities work
- Securing Kubernetes Cluster Networking
- Tutorials and Recipes for Kubernetes Network Policies feature
- Kubernetes Security Context and Kubernetes Network Policy
- Kubernetes Application Operator Basics
Tooling:
- https://github.com/kelseyhightower/konfd
- https://github.com/hashicorp/vault-plugin-auth-kubernetes
- https://github.com/bitnami-labs/sealed-secrets
- https://github.com/shyiko/kubesec
- https://github.com/weaveworks/flux
Further reading:
- Docs: Secrets, Configure a Security Context for a Pod or Container, Pod Security Policies
- Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes
- Exploring container security: Isolation at different layers of the Kubernetes stack
- Security Best Practices for Kubernetes Deployment
- NIST Special Publication 800-190: Application Container Security Guide
- Kubernetes Security Best Practices
- Continuous Kubernetes Security
Tooling:
- https://github.com/bgeesaman/kubeatf
- https://github.com/Shopify/kubeaudit
- https://k8guard.github.io/
Further reading:
- Docs: Securing a Cluster, Encrypting Secret Data at Rest, Auditing
- Securing Kubernetes components: kubelet, etcd and Docker registry
- K8s security best practices
- Kubernetes Security - Best Practice Guide
- Lessons from the Cryptojacking Attack at Tesla
- Hacking and Hardening Kubernetes Clusters by Example
- What Does “Production Ready” Really Mean for a Kubernetes Cluster
- A Hacker's Guide to Kubernetes and the Cloud
- Kubernetes Container Clustering, Catastrophe
- Hardening Kubernetes from Scratch
Kubernetes resources related to security (v1.10):
- Namespace
- Secret
- ResourceQuota
- ServiceAccount
- Role / ClusterRole
- RoleBinding / ClusterRoleBinding
- PodSecurityPolicy
- NetworkPolicy
Useful kubectl
commands:
kubectl create secret
kubectl create serviceaccount
kubectl create role
kubectl create rolebinding
kubectl auth can-i