And it doesn't have to stop there - fine-grained RBAC policies can be extracted from audit logs with audit2rbac. There are plenty of good examples of RBAC policies for cluster services, as well as the docs. Or use this flag to disable it in GKE: -no-enable-legacy-authorization Use RBAC instead: -authorization-mode=RBAC Kubernetes' ABAC (Attribute Based Access Control) has been superseded by RBAC since release 1.6, and should not be enabled on the API server. Role-based access control provides fine-grained policy management for user access to resources, such as access to namespaces. Enable RBAC with Least Privilege, Disable ABAC, and Monitor Logs Kubelet TLS bootstrapping provides the ability for a new kubelet to create a certificate signing request so that certificates are generated at boot time. Kelsey Hightower's canonical Kubernetes The Hard Way provides detailed manual instructions, as does etcd's security model documentation.Īutoscaling Kubernetes nodes was historically difficult, as each node requires a TLS key to connect to the master, and baking secrets into base images is not good practice. This network diagram by Lucas Käldström demonstrates some of the places TLS should ideally be applied: between every component on the master, and between the Kubelet and API server. Note that some components and installation methods may enable local ports over HTTP and administrators should familiarize themselves with the settings of each component to identify potentially unsecured traffic. TLS should be enabled for every component that supports it to prevent traffic sniffing, verify the identity of the server, and (for mutual TLS) verify the identity of the client. This valuable cargo needs protecting from accidental leakage and malicious intent: when it's accessed, when it's at rest, and when it's being transported across the network.
It has an overall view of every container and pod running on the cluster, can schedule new pods (which can include containers with root access to their parent node), and can read all the secrets stored in the cluster. Use Linux Security Features and PodSecurityPolicies
Starting with the control plane, building up through workload and network security, and finishing with a projection into the future of security, here is a list of handy tips to help harden your clusters and increase their resilience if compromised. Kubernetes security has come a long way since the project's inception, but still contains some gotchas.
0 kommentar(er)
