Good question. How long have we got? [laughter] So I did a webinar with a colleague, I guess that maybe a month or so ago now, about exactly this question. So, I guess very briefly, there’s… I’ve been talking about kube-bench and these settings and things like have you set up authentication between your nodes, so they’ve got a use certificate? And are you allowing privilege containers or not? That kind of thing that you configure as you’re installing or running the Kubernetes executables themselves. But it’s broader than that, in that you want to be vetting the images that you run on your cluster, vetting them for vulnerabilities… A lot of organizations have policies around how severe the vulnerabilities are that they are allowed to run, or blacklisting or whitelisting, all that kind of thing. And because these days everybody is deploying code really fast, they got CI/CD, so you want to automate all these checks to make sure that your CD system isn’t deploying something live that contains some terrible well-meant vulnerability.

Secrets management is another important aspect, and Kubernetes fairly recently – I am going to say it was in 1.7 I think – started encrypting secrets. But before that, secrets were by default being passed around in the clear, which was pretty scary. And if you really want to take your seriously, you might want to be looking at runtime profiling, like we were talking about before, using things like seccomp or AppArmor, maybe using SELinux… There are so many different things you can do to make your cluster more secure.

Source link


Please enter your comment!
Please enter your name here