Kubernetes Security Checklist and Requirements - All in One (authentication, authorization, logging, secrets, configuration, network, workloads, dockerfile)
There are many ways to make your cluster secure, but we have chosen only one, the most difficult and controversial in some places. We do not guarantee that it will be completely suitable for your infrastructure, but we hope this checklist can help you include those things that you may have forgotten and left out.
/healthz
, /readyz
, /livez
. Exceptions should be agreed upon with the security team.runAsUser
parameter for all applications.allowPrivilegeEscalation - false
.privileged: true
).readonlyRootFilesystem - true
.hostPID
and hostIPC
.hostNetwork
.kernel.shm *
,kernel.msg *
,kernel.sem
,fs.mqueue. *
,hostPath
.CAP_FSETID
,CAP_SETUID
,CAP_SETGID
,CAP_SYS_CHROOT
,CAP_SYS_PTRACE
,CAP_CHOWN
,CAP_NET_RAW
,CAP_NET_ADMIN
,CAP_SYS_ADMIN
,CAP_NET_BIND_SERVICE
)default
).RUN
construct with sudo
.COPY
is required instead of ADD
instruction.apt-get upgrade
, yum update
, apt-get dist-upgrade
.wget
, curl
, netcat
inside the production application image and container.dockerignore
to prevent putting sensitive information inside the image.WORKDIR
as an absolute path. It is not recommended to use cd
instead of WORKDIR
.COPY . ..
latest
tag.