Die Standardkonfiguration von Kubernetes ist nicht sicher. RBAC, Network Policies, Pod Security Standards — das Minimum für die Produktion.
RBAC¶
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-reader rules: - apiGroups: [“”] resources: [“pods”, “services”] verbs: [“get”, “list”]
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-reader-binding subjects: - kind: ServiceAccount name: app-sa roleRef: kind: Role name: app-reader
Pod Security¶
apiVersion: v1 kind: Pod spec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: app securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: [“ALL”]
Network Policies¶
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: [Ingress, Egress]
Wichtigste Erkenntnis¶
RBAC, Network Policies, Pod Security Standards, Secrets-Verschlüsselung. Audit mit kube-bench.