This is one of the standards and compliance guides you can use for k8s.<p>The other ones I'm aware of are<p>- CIS Benchmarks, there's coverage for Kubeadm, AKS, EKS, GKE, OpenShift and some others. This is a compliance guide focused on just k8s<p>- DISA STIG for Kubernetes, another compliance guide, they don't mention which distribution but it's kubeadm from looking at the paths mentioned.<p>- PCI Guidance for containers and container orchestration, this one is recent, it's a generic guidance targeted at container environments (docker, k8s etc) for PCI in-scope organizations but TBH it should work for most places (if that one's of interest, some more info <a href="https://raesene.github.io/" rel="nofollow">https://raesene.github.io/</a>)<p>Some more details on these <a href="https://www.container-security.site/general_information/container_security_standards.html" rel="nofollow">https://www.container-security.site/general_information/cont...</a><p>Making security guidance for k8s is kind of tricky due to the number of distros and changes between versions (<a href="https://raesene.github.io/blog/2022/09/20/Assessing-Kubernetes-Clusters-for-PCI-Compliance/" rel="nofollow">https://raesene.github.io/blog/2022/09/20/Assessing-Kubernet...</a>)
> Kubernetes, frequently abbreviated “K8s” because there are 8 letters between K and S<p>I'll be damned. I thought it was because the end kind of sounded like "8-es"
I find the fact that the Defense dept issues stuff like this almost more interesting than the content itself. Says a lot about what keeps them up at night
Is it possible to configure a Kubernetes cluster to run only _signed_ images? I.e., if someone has replaced a Docker in registry is should not be accepted by cluster.
For those who are implementing these security guidelines: how do you ensure they have been correctly implemented?<p>Do you have any kind of static check program that can check beforehand that you are going to deploy a hardened kubernetes cluster? Do you have a "live" checker that can verify the actual configuration of a running cluster? Does it run all the time oronce in a while?
Also , if you have an automated way of verifying your configuration, which program do you use?<p>I only know about Chef's Inspec and the CIS profiles that are available online, but the experience wasn't extraordinary and I was wondering what is used in the wild?
Another guide may be the CIS benchmark guide [1].<p>I can't attest to efficacy of this particular benchmark from defense.gov (we don't use k8s at $DAYJOB), but we've leveraged other benchmarks from CIS for various flavors of Windows/ Linux.<p>[1] <a href="https://www.cisecurity.org/benchmark/kubernetes" rel="nofollow">https://www.cisecurity.org/benchmark/kubernetes</a>
Well done. From the control plane section:<p>>The Kubernetes API server runs on port 6443,
which should be protected by a firewall to accept only
expected traffic.<p>How are folks doing this in practice at scale? Managing ACLs for kubectl, admins, workflow systems, distributed worker nodes etc?
I didn't read this, but it's really tiresome to hear about having to "harden" systems in 2022. They should be "hard" by default. If you need to soften them to make them easier to work with internally, that should be what needs a checklist and instructions.