Session at ContainerDay Security 2023 on the 8th of March in Hamburg.
Hardening and securing Kubernetes requires expertise and experience. The talk takes an overview of how we contributed to Kubespray enabling cluster hardening, talking about features that have been introduced, the tools that we used to verify the cluster hardenization and our experience with the open-source community.
8. EventRateLimit
●
Mitigates the problem where the apiserver gets flooded by event requests
●
Limit types:
●
Server
●
Namespace
●
User
●
SourceAndObject
●
Avoid DoS in a Multi-Tenant cluster
10. streamingConnectionIdleTimeout
●
Defines the maximum time an idle session is permitted prior to disconnect
●
By default is set to 4 hours
●
Ensures that you are protected against DoS attacks
●
Idle connections can be used by unauthorized users
to perform malicious activity to the nodes, pods,
containers, etc.
11. Split kube_feature_gates variable
●
kube_feature_gates allows you to manage the feature gates in a generic
way for all the components
●
Not all the components need the same configuration
●
Create a dedicated variable for each components
15. Kubelet Systemd Service Hardening
●
Systemd v235
●
Isolate systemd services with sandboxing features
●
Analyzes the security settings of service units
(systemd-analyze security)
17. Kubelet Systemd Service Hardening
●
Provide a variable to enable the service hardening
●
Provide a variable to whitelist allowed IPs
to communicate with kubelet