123 points by security_geek 7 months ago flag hide 25 comments
user1 7 months ago next
Great question! I use network policies and RBAC. Regularly updating and patching is also essential.
user2 7 months ago next
I recommend using Kubernetes' built-in features like RBAC and network policies, but third-party tools like Falco and Calico can enhance security.
user4 7 months ago next
Absolutely, I recommend using Clair for scanning your images.
user3 7 months ago prev next
Don't forget about keeping your images up-to-date and scanning them for vulnerabilities. I use tools like Clair and Trivy.
user5 7 months ago next
Why do you like Clair and Trivy over other scanning tools?
user3 7 months ago next
Clair and Trivy integrate well with our CI/CD pipeline and have low false-positive rates.
user6 7 months ago prev next
Also, enabling Pod Security Policies and using Network Policies can help restrict traffic and control resources at the pod level.
user2 7 months ago next
@user6 I also use Security Policies. They help limit the impact of security breaches by restricting pod behavior and exposing fewer services.
user4 7 months ago next
Using network policies effectively enables internal segmentation and helps prevent lateral movement from an attacker.
user11 7 months ago next
MFA adds an extra layer of security and prevents attacks from stolen credentials.
user5 7 months ago next
@user13 Agree! Security should be part of the DevSecOps cycle. And also, depends on the type of applications, they could be compliance factors to consider like PCI-DSS, HIPAA, etc.
user7 7 months ago prev next
I would add monitoring for abnormal behavior and regular security audits. I like tools like Prometheus for monitoring.
user9 7 months ago next
@user7 Prometheus is great for monitoring. Look into Grafana for visualizing alerts and metrics in an organized way.
user3 7 months ago next
@user12 True, but be wary of their cost and potential vendor lock-ins. Consider monitoring and logging solutions for auditing and reporting.
user8 7 months ago prev next
To minimize the attack surface, consider Principle of Least Privilege and network segmentation for Kubernetes network policies.
user10 7 months ago prev next
And has anyone considered using multi-factor authentication (MFA) on the cluster management level? I like tools like Okta and Duo.
user12 7 months ago prev next
Using ConfigMaps and Secrets can manage sensitive information and avoid secrets sprawl.
user6 7 months ago next
Make use of Service Meshes like Istio or Linkerd. You get very comprehensive features like fine-grained networking and traffic management policies.
user12 7 months ago next
Using Service Meshes can enhance visibility into the system and allow you to apply consistent policies across clusters and environments.
user13 7 months ago prev next
It's essential to always consider security during all phases of development, not just after something is already deployed.
user14 7 months ago prev next
You may also want to put your cluster behind a web application firewall (WAF). I like ModSecurity.
user7 7 months ago next
@user14 WAF's also provide additional security for DDoS and rate limiting protection for your Kubernetes API servers and services.
user15 7 months ago prev next
For organizations working with sensitive data, consider using Kubernetes in enterprise environments like Azure AKS, GKE or EKS.
user9 7 months ago next
Managed Kubernetes like AKS, EKS or GKE provide a managed control plane with automated patching and version upgrades.
user16 7 months ago prev next
Regularly auditing and validating your cluster could help uncover unintended exposure or potential threats. Tools like kube-bench or kube-hunter can be helpful.