Summary Checklist for Run-Time Kubernetes Security
Here is a convenient checklist summary of the security protections to review
for securing Kubernetes deployments during run-time. This list does not cover
the build phase vulnerability scanning and registry protection requirements.
PRE-PRODUCTION
❏ Use namespaces
❏ Restrict Linux capabilities
❏ Enable SELinux
❏ Utilize Seccomp
❏ Configure Cgroups
❏ Use R/O Mounts
❏ Use a minimal Host OS
❏ Update system patches
❏ Conduct security auditing and compliance checks with CIS benchmark tests
RUN-TIME
❏ Enforce isolation by application / service
❏ Inspect network connections for application attacks
❏ Monitor containers for suspicious process or file system activity
❏ Protect worker nodes from host privilege escalations, suspicious processes or
file system activity
❏ Capture packets for security events
❏ Quarantine or remediate compromised containers
❏ Scan containers & hosts for vulnerabilities
❏ Alert, log, and respond in real-time to security incidents
❏ Conduct security auditing and compliance checks with CIS benchmark tests
KUBERNETES SYSTEM
❏ Review all RBACs
❏ Protect the API Server
❏ Restrict Kubelet permissions
❏ Secure external ports
❏ Whitelist non-authenticated services
❏ Limit/restrict console access
❏ Monitor system container connections and processes in production
Summary Checklist for Run-Time Kubernetes Security的更多相关文章
- 101 More Security Best Practices for Kubernetes
https://rancher.com/blog/2019/2019-01-17-101-more-kubernetes-security-best-practices/ The CNCF recen ...
- WebLogic: The Definitive Guide examined WebLogic's security mechanisms--reference
reference from: http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html?page=1 ...... ...
- Centos7 使用 kubeadm 安装Kubernetes 1.13.3
目录 目录 什么是Kubeadm? 什么是容器存储接口(CSI)? 什么是CoreDNS? 1.环境准备 1.1.网络配置 1.2.更改 hostname 1.3.配置 SSH 免密码登录登录 1.4 ...
- kubernetes之监控Operator部署Prometheus(三)
第一章和第二章中我们配置Prometheus的成本非常高,而且也非常麻烦.但是我们要考虑Prometheus.AlertManager 这些组件服务本身的高可用的话,成本就更高了,当然我们也完全可以用 ...
- kubernetes之监控Prometheus实战--prometheus介绍--获取监控(一)
Prometheus介绍 Prometheus是一个最初在SoundCloud上构建的开源监控系统 .它现在是一个独立的开源项目,为了强调这一点,并说明项目的治理结构,Prometheus 于2016 ...
- Atlassian - Confluence Security Advisory - 2019-03-20
-------------------- This problem refers to the advisory found at https://confluence.atlassian.com/d ...
- Kubernetes简介
Kubernetes is an open-source platform designed to automate deploying, scaling, and operating applica ...
- kubernetes continually evict pod when node's inode exhausted
kubernetes等容器技术可以将所有的业务进程运行在公共的资源池中,提高资源利用率,节约成本,但是为避免不同进程之间相互干扰,对底层docker, kubernetes的隔离性就有了更高的要求,k ...
- kubernetes监控--Prometheus
本文基于kubernetes 1.5.2版本编写 kube-state-metrics kubectl create ns monitoring kubectl create sa -n monito ...
随机推荐
- 078 Hbase中rowkey设计原则
1.热点问题 在某一时间段,有大量的数据同时对一个region进行操作 2.原因 对rowkey的设计不合理 对rowkey的划分不合理 3.解决方式 rowkey是hbase的读写唯一标识 最大长度 ...
- 《Android进阶之光》--RxJava结合Retrofit访问网络
1)配置 dependencies{ ... compile 'io.reactivex:rxjava:1.2.0' compile 'io.reactivex:rxandroid:1.2.1' co ...
- Volley网络通信框架
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools=&q ...
- 深入理解 MySQL ——锁、事务与并发控制
本文首发于vivo互联网技术微信公众号 mp.weixin.qq.com/s/JFSDqI5ya… 作者:张硕 本文对 MySQL 数据库中有关锁.事务及并发控制的知识及其原理做了系统化的介绍和总结, ...
- Cordova项目config.xml添加android权限
最近在开发cordova项目,安卓APP需要调用照相机和系统相册,在添加安卓权限的时候,总是报错. 以下是部分config.xml代码 <platform name="android& ...
- 使用TVTK库创建一个矩形视图
from tvtk.api import tvtk # s=tvtk.ConeSource(height=,radius=) # print(s.center) #创建一个长方体数据源,并同时设置长宽 ...
- cocosCreator 新版本的动作函数API的应用
利用触摸位置判断,点击的是屏幕的左侧还是右侧,控制主角左右移动: 见代码: InputControl:function () { var self=this; //cc.systemEvent sel ...
- CentOS 6.8 安装 Erlang 及 RabbitMQ Server
安装 Erlang 19.3 # 安装依赖包 yum install -y gcc gcc-c++ unixODBC-devel openssl-devel ncurses-devel # 下载 er ...
- AngularJS自定义Directive中link和controller的区别
在AngularJS中,自定义Directive过程中,有时用link和controller都能实现相同的功能.那么,两者有什么区别呢? 使用link函数的Directive 页面大致是: <b ...
- TThread深入分析
Delphi中有一个线程类TThread是用来实现多线程编程的,这个绝大多数Delphi书藉都有说到,但基本上都是 对TThread类的几个成员作一简单介绍,再说明一下Execute的实现和Synch ...