- Make sure your cluster runs a recent version of Kubernetes – the security features have matured quite a bit in the most recent versions.
- While the defaults are getting stronger, the best clusters are the ones that the owners have proactively hardened.
- Set up authorization with custom RBAC service accounts, as well as Node and Webhook authorization
- Use network policies with strong, specific, default-deny rules on both ingress and egress network traffic
- Use pod security policies to restrict the capabilities of a hostile pod to interact with the node
- Stand on the shoulders of others, including Google’s Ahmet Balkan, Red Hat’s Jordan Liggitt, and the community at the Center for Internet Security
Jay Beale, co-founder, COO and CTO, InGuardians
Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the “Stealing the Network” series. He has led training classes on Linux Hardening and other topics at Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training. Jay is a co-founder, Chief Operating Officer and CTO of the information security consulting company InGuardians.