dependencies 37% of open source developers no security testing in CI 54% docker image no security testing Top 10 docker images contain > 30 vulnerable system libraries
capability Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. No --privileged containers Drop all capabilities then add needed caps Enable user namespaces Set resource limits and ulimits Mount volumes: ro, noexec, nosuid, nodev
TLS Everywhere - for all API traffic ◉ Certificate rotation (1.8) ◉ Separate and Firewall etcd - Restrict access ◉ Authorization RBAC with Least Privilege ◉ Enable audit logging ◉ Upgrade cluster. ◉ Encrypting Secret Data at Rest (1.13): encrypted in etcd. AES-CBC, AES-GCM, KMS.
◉ Aqua - kube-bench: Kubernetes is deployed according to security best practices ◉ Aqua - kube-hunter: hunts for security weaknesses in Kubernetes clusters ◉ K8Guard - An auditing system for Kubernetes ◉ Anchore : kubernetes-admission-controller 34
on Kubernetes audit logs. ◉ FairwindsOps / Rbac-manager. A Kubernetes operator for Role Bindings and Service Accounts. ◉ Jtblin / kube2iam provides different AWS IAM roles for pods running on Kubernetes. 40