Kuberneties Hardening for DevSecOps
Table of contents
- Restrict Kubernetes API access to specific IP ranges
- Use Role-Based Access Control (RBAC)
- Enable PodSecurityPolicy (PSP)
- Use Network Policies
- Enable Audit Logging
- Use Secure Service Endpoints
- Use Pod Security Context
- Use Kubernetes Secrets
- Enable Container Runtime Protection
- Enable Admission Controllers
List of some best practices to harden Kuberneties for DevSecOps
Restrict Kubernetes API access to specific IP ranges
kubectl edit svc/kubernetes
Update spec.loadBalancerSourceRanges
Use Role-Based Access Control (RBAC)
kubectl create serviceaccount <name> <br> kubectl create clusterrolebinding <name> --clusterrole=<role> --serviceaccount=<namespace>:<name>
Enable PodSecurityPolicy (PSP)
kubectl create serviceaccount psp-sa <br> kubectl create clusterrolebinding psp-binding --clusterrole=psp:vmxnet3 --serviceaccount=default:psp-sa
Use Network Policies
kubectl apply -f networkpolicy.yml
Enable Audit Logging
kubectl apply -f audit-policy.yaml <br> kubectl edit cm/kube-apiserver -n kube-system <br> Update --audit-log-path and --audit-policy-file
Use Secure Service Endpoints
kubectl patch svc <svc-name> -p '{"spec": {"publishNotReadyAddresses": true, "sessionAffinity": "ClientIP"}}'
Use Pod Security Context
kubectl create sa pod-sa
kubectl create rolebinding pod-sa --role=psp:vmxnet3 --serviceaccount=default:pod-sa
Use Kubernetes Secrets
kubectl create secret generic <name> --from-file=<path-to-file>
Enable Container Runtime Protection
kubectl apply -f falco.yaml
Enable Admission Controllers
kubectl edit cm/kube-apiserver -n kube-system
Update --enable-admission-plugins