Running Kubernetes

Cluster

  • Use IDP for Authorization
  • Service Accounts for Workloads
  • RBAC configured for users and workloads

Nodes

  • CIS/NIST benchmarks for Node Security
  • Kubebench for Cluster

Network

  • All namespaces should have NetworkPolicy
  • DO NOT EXPOSE your cluster to the Internet
  • Differentiate between public and private workloads

Secrets

  • Secrets should be stored in third-party storage
    • HashiCorp Vault
    • Conjur
    • etcd in encrypted form.
  • Secrets should be added to the container using the volumeMount mechanism or the secretKeyRef mechanism.