-
Keep the cloud provider platform secure
- Least privilege
- Secure traffic into cluster
-
Run security test in development environments
- Mirror environments
-
Cluster authentication & authorization
- Leverage OIDC for k8s authentication
- RBAC - define roles
-
In cluster network/security/micro segmentation
- Prevent namespace-to-namespace communication
- Network policy
Policy & Governance
-
k8s admission controllers
- Read only
- Non-privileges ports
-
Runtime security & monitoring
- Identity security privilege not needed
- Track anomalies
- Falco & Twistlock
-
Application secret management
- Encrypt
- Vault
- Sealed secrets
- SOPS
-
Data protection & CVE remediation
- Approved API versions
- Review release notes
- Restric ingress/egress
- Allow approved docker images
-
Auditing
- Define policies
- Trigger alerts
- Store audit logs
-
Container security
- Vulnerability scanning in pipeline
- MTLS - adhere to k8s pod security standards