Here is a convenient checklist summary of the security protections to review

for securing Kubernetes deployments during run-time. This list does not cover

the build phase vulnerability scanning and registry protection requirements.

PRE-PRODUCTION

❏ Use namespaces

❏ Restrict Linux capabilities

❏ Enable SELinux

❏ Utilize Seccomp

❏ Configure Cgroups

❏ Use R/O Mounts

❏ Use a minimal Host OS

❏ Update system patches

❏ Conduct security auditing and compliance checks with CIS benchmark tests

RUN-TIME

❏ Enforce isolation by application / service

❏ Inspect network connections for application attacks

❏ Monitor containers for suspicious process or file system activity

❏ Protect worker nodes from host privilege escalations, suspicious processes or

file system activity

❏ Capture packets for security events

❏ Quarantine or remediate compromised containers

❏ Scan containers & hosts for vulnerabilities

❏ Alert, log, and respond in real-time to security incidents

❏ Conduct security auditing and compliance checks with CIS benchmark tests

KUBERNETES SYSTEM

❏ Review all RBACs

❏ Protect the API Server

❏ Restrict Kubelet permissions

❏ Secure external ports

❏ Whitelist non-authenticated services

❏ Limit/restrict console access

❏ Monitor system container connections and processes in production

Summary Checklist for Run-Time Kubernetes Security的更多相关文章

  1. 101 More Security Best Practices for Kubernetes

    https://rancher.com/blog/2019/2019-01-17-101-more-kubernetes-security-best-practices/ The CNCF recen ...

  2. WebLogic: The Definitive Guide examined WebLogic's security mechanisms--reference

    reference from: http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html?page=1 ...... ...

  3. Centos7 使用 kubeadm 安装Kubernetes 1.13.3

    目录 目录 什么是Kubeadm? 什么是容器存储接口(CSI)? 什么是CoreDNS? 1.环境准备 1.1.网络配置 1.2.更改 hostname 1.3.配置 SSH 免密码登录登录 1.4 ...

  4. kubernetes之监控Operator部署Prometheus(三)

    第一章和第二章中我们配置Prometheus的成本非常高,而且也非常麻烦.但是我们要考虑Prometheus.AlertManager 这些组件服务本身的高可用的话,成本就更高了,当然我们也完全可以用 ...

  5. kubernetes之监控Prometheus实战--prometheus介绍--获取监控(一)

    Prometheus介绍 Prometheus是一个最初在SoundCloud上构建的开源监控系统 .它现在是一个独立的开源项目,为了强调这一点,并说明项目的治理结构,Prometheus 于2016 ...

  6. Atlassian - Confluence Security Advisory - 2019-03-20

    -------------------- This problem refers to the advisory found at https://confluence.atlassian.com/d ...

  7. Kubernetes简介

    Kubernetes is an open-source platform designed to automate deploying, scaling, and operating applica ...

  8. kubernetes continually evict pod when node's inode exhausted

    kubernetes等容器技术可以将所有的业务进程运行在公共的资源池中,提高资源利用率,节约成本,但是为避免不同进程之间相互干扰,对底层docker, kubernetes的隔离性就有了更高的要求,k ...

  9. kubernetes监控--Prometheus

    本文基于kubernetes 1.5.2版本编写 kube-state-metrics kubectl create ns monitoring kubectl create sa -n monito ...

随机推荐

  1. 【Java】 剑指offer(60) n个骰子的点数

      本文参考自<剑指offer>一书,代码采用Java语言. 更多:<剑指Offer>Java实现合集   题目 把n个骰子扔在地上,所有骰子朝上一面的点数之和为s.输入n,打 ...

  2. macos 下通过sublime text 3 + gosublime+sublimegdb 开发注意事项

    1.macos系统10.13.4下 安装gdb8.0可以正常调试,而gdb8.1不能正常调试,需要跳过这个坑 2.需要对gdb 8.0进行软件签名 3.通过gosublime 运行(cmd+b),添加 ...

  3. 一步一步写数据结构(二叉树的建立和遍历,c++)

    简述: 二叉树是十分重要的数据结构,主要用来存放数据,并且方便查找等操作,在很多地方有广泛的应用. 二叉树有很多种类,比如线索二叉树,二叉排序树,平衡二叉树等,本文写的是最基础最简单的二叉树. 思路: ...

  4. Python爬虫之Beautiful Soup解析库的使用(五)

    Python爬虫之Beautiful Soup解析库的使用 Beautiful Soup-介绍 Python第三方库,用于从HTML或XML中提取数据官方:http://www.crummv.com/ ...

  5. Educational Codeforces Round 47 (Div 2) (A~G)

    目录 Codeforces 1009 A.Game Shopping B.Minimum Ternary String C.Annoying Present D.Relatively Prime Gr ...

  6. Eclipse中修改包名,提交SVN时报 is out of date,怎么办?

    问题:Eclipse中修改包名,提交SVN时报 is out of date,怎么办?描述: Hi,大家好! 我的问题如题,在不考虑用TortoiseSVN客户端直接删除目录这个方法的情况下,有什么方 ...

  7. centos 7 秘钥分发

    生成秘钥 [root@node1 ~]# ssh-keygen 查看秘钥 [root@node1 ~]# ls .ssh/id_rsa* .ssh/id_rsa .ssh/id_rsa.pub 将秘钥 ...

  8. apache 中 RewriteCond 介绍

    一.Yii2 URL美化 修改Apache配置文件之前,需要先在 httpd.conf中搜索一下 rewrite ,查看一下 LoadModule rewrite_module modules/mod ...

  9. ubuntu jdk 安装

    sudo add-apt-repository ppa:linuxuprising/java sudo apt-get update sudo apt-get install oracle-java1 ...

  10. PHP的unset究竟会不会释放内存?

    首先让我们看一个例子 var_dump(memory_get_usage());    $a = "laruence";    var_dump(memory_get_usage( ...