Top X lists of misconfigurations and vulnerablities relating to Kubernetes, as well as aggregating more in depth resources, blogs, etc. from around The Internet. warning - π½ this documentent is alive and is subject to change.
- @jpetazzo, @jessfraz, @raesene, @jbeda, @tallclair, @anapsix, @bradgeesaman
- kubesec.io
- Maya Kaczorowski - googleNext18 security journey slide
- Top 9 Kubernetes Setting You Should Check To Optimize Security
- CIS Center For Internet Security
- Hardening Linux Containers - NCC Group Whitepaper
- Stay up to date with upstream Kubernetes, try not to fall more than 3 months behind.
- Exposed Dashboard π¨
- π disable it
- On Securing the Kubernetes Dashboard - Joe Beda
- CAdvisor: insecure port
- Misconfigured RBAC (vague, build out examples and links)
- Allowing anon access
--anonymous-authallows for compromising cluster with the service token access - Unauthenticated kubelet
- Unauthenticate etcd
- Mounts the docker socket, e.g. docker in docker
- Your Pod is too strong π¨
- Lock down your ``podSecurityPolicy` @tallclair
- AppArmor to lock down capabilities.
- Pods with containers running applications as "root"
- Unencrypted etcd at rest
- Not Protecting The Instance metadata in cloud providers like AWS and GCP