Kubernetes Infrastructure Security Practices
-
Update your Kubernetes to the most recent version. Because solely the last 3 versions of Kubernetes are supported, as well as security patches for recently disclosed vulnerabilities. So, if a high-severity vulnerability is discovered in Kubernetes and you’re four versions behind, your version won’t receive the patch.
-
Firmly set up the Kubernetes API server. That is, ensure you disabled the unauthenticated/anonymous access and using TLS encoding for connections between the kubelets and also the API server.
-
etcd could be a key-value store utilized by Kubernetes for data access. etcd is considered the is taken into account of truth for Kubernetes, and you’ll be able to scan information from and write into it as required. ensure client connections are served solely over TLS.
-
As the main node agent running on every node, misconfiguring kubelet exposes you to backdoor access through the kubelet. ensure you are disabling the anonymous access to the kubelet by beginning the kubelet with the “–anonymous-auth=false” flag and leverage the NodeRestriction admission controller to limit what the kubelet will access.
Kubernetes includes more elements, together with the kube-scheduler, kube-controller-manager, the configuration files on the master node and work node, etc.