Create a security checklist for deploying a cluster #28
Comments
|
/sig security docs |
k8s-ci-robot
added
sig/security
|
Thanks Savitha! I think I would be glad to write the part about PodSecurity, I took a look at it recently (here) and found it very convenient to use! I could also try to handle the "Enabling seccomp" part also but don't want to take all the good stuff 😄! I think we could discuss this at the next security documentation meeting, but for this checklist, do you envision something complete in and of itself or a short descriptions and references to the documentation? |
Thanks @mtardy :) I am thinking that we will have a one liner and also a link to documentation if available. WDYT? |
|
Yes I agree! I don't think it would be a good idea to repeat what is already well presented in the documentation, but a central page to refer to all the good security features of Kubernetes with a one liner to introduce them and why they are important would be great! |
|
I'm happy to pick up Network Security and Secrets. Also, I agree on taking the approach of making this more summary based and linking to relevant detailed guides. |
|
I can do the Container & Image scanning part. Also agreeing on the summary based approach. |
|
What about confidential Kubernetes? I could link some interesting stuff to some open source projects, I was involved in. |
@p4ck3t0 is confidential Kubernetes a part of the Kubernetes ecosystem or core concepts? We want to limit this checklist to that and avoid third party recommendations in order to keep it vendor neutral. |
No it's not a core concept, I will focus on Container & Image scanning. |
@p4ck3t0 would you like to create a blog post for confidential Kubernetes? It sounds like a beneficial topic. |
@savitharaghunathan sure I want to write a short blog post about it. I just need to see if I could do both, Confidential Kubernetes blogpost and Container & Image scanning checklist. |
|
Based of the conversation in Slack, also happy to pick up pod placement :) |
Added a new task item and assigned it to you. Thanks, @Skybound1 :) |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
@Skybound1 - I'd love to pair on the Network Security section if you're up for it! |
|
@cailynse sure, happy to work with others and get their opinions :) We have got some drafts in the PR linked above (kubernetes/website#33992), feel free to have a look and give comments, happy to discuss any of the points as well :) ( Skybound on the Kube slack ) |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
@mtardy, kubernetes/website#34873 added some sound advice - you might want to add that to the checklist too. |
Indeed thanks @sftim, it's already present in the RBAC guide best practices that we recommend for that topic, do you think we should make another warning directly on the checklist? https://kubernetes.io/docs/concepts/security/rbac-good-practices/#listing-secrets |
I'm fine either way. I'm not sure how you frame a common misunderstanding as a checklist item, but if there's a way then I'm all for it. |
|
I noticed some security advice in kubernetes/website#35511 and thought I'd mention it here. |
|
Should we close this issue and create a central issue for updates to this page? Or should we edit this one for a follow-up? If nobody opposes I guess I'll close this one and create another! |
|
We created a checklist. /close (folks can reopen if they don't agree this is resolved) |
|
@sftim: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
I like the idea of making another issue to track further improvements. |
You are correct I should be more confident 😄 |
While there are many checklists available, this could be a recommended checklist for ensuring security in Kubernetes clusters.
Overall guidance:
Potential checklist sections:
Cluster level
Application/workload:
The text was updated successfully, but these errors were encountered: