2. System Hardening
Limit Node Access
Limit users that can connect to the nodes
SSH Hardening
use private/public key
disable ssh root login - PermintRootLogin no
disable password authentication - PasswordAuthentication no
Privilege Escalation in Linux
use sudo
set nologin shell for root
Remove Obsolete Packages and Services
Install only required packages - kubelet, kubeadm, containerd.io, kubectl
Remove Unwanted Services - systemctl list-units --type service
Restrict Kernel Modules
Blacklist modules - cat /etc/modprobe.d/blacklist.conf
blacklist sctp
Identify and Disable Open ports
netstat, ss, lsof
Minimize IAM roles
Minimize external access to the network
UFW
ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
ufw deny in on eth0 to 224.0.0.1 proto igmp
ufw allow in on eth0 to any port 80 proto tcp
Linux Syscalls
strace -c touch /tmp/error.txt
strace -p 3596 (strace of a running process)
Seccomp
/var/lib/kubelet/seccomp/profiles/
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: test-container
securityContext:
allowPrivilegeEscalation: falseAppArmor
aa-status( modes - enforce, complain, unconfined)apt install apparmor-utilsaa-genprof /root/add_data.shaa-logprof - update profilesprofiles - /etc/apparmor.d/
load profile -
apparmor_parser /etc/apparmor.d/root.add_data.shreload profile -
apparmor_parser -r /etc/apparmor.d/root.add_data.shremove profile -
apparmor_parser -R /etc/apparmor.d/root.add_data.shmetadata: name: hello-apparmor annotations: # Tell Kubernetes to apply the AppArmor profile "k8s-apparmor-example-deny-write". container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write
Linux Capabilities
getcap /usr/bin/pinggetpcaps 779spec: containers: - name: sec-ctx-4 securityContext: capabilities: add: ["NET_ADMIN", "SYS_TIME"] drop: ["CHOWN"]
Last updated