Here is a convenient checklist summary of the security protections to review

for securing Kubernetes deployments during run-time. This list does not cover

the build phase vulnerability scanning and registry protection requirements.

PRE-PRODUCTION

❏ Use namespaces

❏ Restrict Linux capabilities

❏ Enable SELinux

❏ Utilize Seccomp

❏ Configure Cgroups

❏ Use R/O Mounts

❏ Use a minimal Host OS

❏ Update system patches

❏ Conduct security auditing and compliance checks with CIS benchmark tests

RUN-TIME

❏ Enforce isolation by application / service

❏ Inspect network connections for application attacks

❏ Monitor containers for suspicious process or file system activity

❏ Protect worker nodes from host privilege escalations, suspicious processes or

file system activity

❏ Capture packets for security events

❏ Quarantine or remediate compromised containers

❏ Scan containers & hosts for vulnerabilities

❏ Alert, log, and respond in real-time to security incidents

❏ Conduct security auditing and compliance checks with CIS benchmark tests

KUBERNETES SYSTEM

❏ Review all RBACs

❏ Protect the API Server

❏ Restrict Kubelet permissions

❏ Secure external ports

❏ Whitelist non-authenticated services

❏ Limit/restrict console access

❏ Monitor system container connections and processes in production

Summary Checklist for Run-Time Kubernetes Security的更多相关文章

  1. 101 More Security Best Practices for Kubernetes

    https://rancher.com/blog/2019/2019-01-17-101-more-kubernetes-security-best-practices/ The CNCF recen ...

  2. WebLogic: The Definitive Guide examined WebLogic's security mechanisms--reference

    reference from: http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html?page=1 ...... ...

  3. Centos7 使用 kubeadm 安装Kubernetes 1.13.3

    目录 目录 什么是Kubeadm? 什么是容器存储接口(CSI)? 什么是CoreDNS? 1.环境准备 1.1.网络配置 1.2.更改 hostname 1.3.配置 SSH 免密码登录登录 1.4 ...

  4. kubernetes之监控Operator部署Prometheus(三)

    第一章和第二章中我们配置Prometheus的成本非常高,而且也非常麻烦.但是我们要考虑Prometheus.AlertManager 这些组件服务本身的高可用的话,成本就更高了,当然我们也完全可以用 ...

  5. kubernetes之监控Prometheus实战--prometheus介绍--获取监控(一)

    Prometheus介绍 Prometheus是一个最初在SoundCloud上构建的开源监控系统 .它现在是一个独立的开源项目,为了强调这一点,并说明项目的治理结构,Prometheus 于2016 ...

  6. Atlassian - Confluence Security Advisory - 2019-03-20

    -------------------- This problem refers to the advisory found at https://confluence.atlassian.com/d ...

  7. Kubernetes简介

    Kubernetes is an open-source platform designed to automate deploying, scaling, and operating applica ...

  8. kubernetes continually evict pod when node's inode exhausted

    kubernetes等容器技术可以将所有的业务进程运行在公共的资源池中,提高资源利用率,节约成本,但是为避免不同进程之间相互干扰,对底层docker, kubernetes的隔离性就有了更高的要求,k ...

  9. kubernetes监控--Prometheus

    本文基于kubernetes 1.5.2版本编写 kube-state-metrics kubectl create ns monitoring kubectl create sa -n monito ...

随机推荐

  1. HDU 2896 病毒侵袭【AC自动机】

    <题目链接> Problem Description 当太阳的光辉逐渐被月亮遮蔽,世界失去了光明,大地迎来最黑暗的时刻....在这样的时刻,人们却异常兴奋——我们能在有生之年看到500年一 ...

  2. HDU 2602 Bone Collector 骨头收集者【01背包】

    题目链接:https://vjudge.net/contest/103424#problem/A 题目大意: 第一行输入几组数据,第二行第一个数字代表物体个数,第二个数代表总体积.需要注意的是,第三排 ...

  3. BZOJ.4589.Hard Nim(FWT)

    题目链接 FWT 题意即,从所有小于\(m\)的质数中,选出\(n\)个数,使它们异或和为\(0\)的方案数. 令\(G(x)=[x是质数]\),其实就是对\(G(x)\)做\(n\)次异或卷积后得到 ...

  4. ab测试swoole和ngixn+php-fpm对比

    做个swoole http_server和ngixn+php7-fpm测试 nginx swoole卓越的性能让我惊呆了   如需应用可nginx反代, swoole作为http_server, 不用 ...

  5. swoole深入学习 1. swoole初始

    0. 前言 swoole在PHP圈火了这么久,从2年前我用node写socket聊天服务器的时候就火了,那时候,经常有类似的文章php+swoole完爆nodejs之类的文章来吸引眼球,先不说它的好与 ...

  6. 使用pickle模块存储对象

    import time import hashlib import pickle import os class Info(): def __init__(self): self.create_tim ...

  7. netty如何知道连接已经关闭,socket心跳,双工?异步?

    https://stackoverflow.com/questions/10240694/java-socket-api-how-to-tell-if-a-connection-has-been-cl ...

  8. adblock 下载地址

    addblock 的作用: 防止追踪.恶意域名,过滤横幅广告.弹窗广告以及视频广告.   用以支持网站的非侵入式广告将不会被屏蔽 下载地址:https://pan.baidu.com/share/li ...

  9. [原创]Network Emulator for Windows Toolkit使用介绍

    [原创]Network Emulator for Windows Toolkit使用介绍 1 Network Emulator for Windows Toolkit简介 微软在window系统下,可 ...

  10. 关于ADO.Net SqlConnection的性能优化

    Connections Database connections are an expensive and limited resource. Your approach to connection ...