• Keep the cloud provider platform secure

    • Least privilege
    • Secure traffic into cluster
  • Run security test in development environments

    • Mirror environments
  • Cluster authentication & authorization

    • Leverage OIDC for k8s authentication
    • RBAC - define roles
  • In cluster network/security/micro segmentation

    • Prevent namespace-to-namespace communication
    • Network policy

Policy & Governance

  • k8s admission controllers

    • Read only
    • Non-privileges ports
  • Runtime security & monitoring

    • Identity security privilege not needed
    • Track anomalies
    • Falco & Twistlock
  • Application secret management

    • Encrypt
    • Vault
    • Sealed secrets
    • SOPS
  • Data protection & CVE remediation

    • k8s mail list
    • Upgrade plan
    • Approved API versions
    • Review release notes
  • Auditing

    • Define policies
    • Trigger alerts
    • Store audit logs
  • Container security

    • Vulnerability scanning in pipeline
    • MTLS - adhere to k8s pod security standards