kubernetes.io/docs/concepts/security
Two types of accounts:
- Users through the kube-apiserver
- Authentication mechanism
- static password files: kube-apiserver
--basic-auth-filestart argument (csv file) - static token files: kube-apiserver
--token-auth-filestart argument (csv file) - certificates
- identity services
- static password files: kube-apiserver
- Authentication mechanism
- Service Accounts
See:
# view a certificate
openssl x509 -in <certificate path> -text
# for example to view the Common Name (CN) configured on the Kube API Server Certificate
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -nooutCertificates folders: /etc/kubernetes/pki (control plane), /var/lib/kubelet/pki (workder node)
# check if a user can do actions
k get pods --as dev-user| Abbreviation | Meaning | Links |
|---|---|---|
| CIS | Center for Internet Security | CIS Kubernetes Benchmarks |
| CVE | Common Vulnerabilities and Exposures | cve.org |
| DLP | Data Loss Prevention | What is DLP? (example: Social Security Number (SSN)) |
| DPI | Deep Packet Inspection | What is DPI? |
| eBPF | ebpf.io, eBPF: Put the Kubernetes Data Plane in the Kernel | |
| FIPS | Federal Information Process Standard | - |
| FISMA | Federal Information Security Management Act | - |
| IAM | Idendity and Access Management | - |
| IDS | Intrusion Systems | - |
| IPS | Intrusion Prevention Systems | - |
| OWASP | Open Web Application Security Project | owasp.org |
| OSI | Open Systems Interconnection | OSI Model Explained |
| SIEM | Security Information and Event Managers | - |
| WAF | Web Application Firewall | What is a WAF? |
-
Principles
- Least privilege
- Zero-Trust
-
3 steps of authentication security
- Authentication
- Authorization
- Admission
-
Network traffic
- North-South
- East-West
- 15 Point Kubernetes Security Checklist - May 5, 2021