Ctrlk

2. System Hardening

Limit Node Access

Limit users that can connect to the nodes

SSH Hardening

use private/public key
disable ssh root login - PermintRootLogin no
disable password authentication - PasswordAuthentication no

Privilege Escalation in Linux

use sudo
set nologin shell for root

Remove Obsolete Packages and Services

Install only required packages - kubelet, kubeadm, containerd.io, kubectl
Remove Unwanted Services - systemctl list-units --type service

Restrict Kernel Modules

Blacklist modules - cat /etc/modprobe.d/blacklist.conf blacklist sctp

Identify and Disable Open ports

netstat, ss, lsof

Minimize IAM roles

Minimize external access to the network

UFW

ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
ufw deny in on eth0 to 224.0.0.1 proto igmp
ufw allow in on eth0 to any port 80 proto tcp

Linux Syscalls

strace -c touch /tmp/error.txt
strace -p 3596 (strace of a running process)

Seccomp

/var/lib/kubelet/seccomp/profiles/

AppArmor

aa-status ( modes - enforce, complain, unconfined)
apt install apparmor-utils
aa-genprof /root/add_data.sh
aa-logprof - update profiles
profiles - /etc/apparmor.d/
load profile - apparmor_parser /etc/apparmor.d/root.add_data.sh
reload profile - apparmor_parser -r /etc/apparmor.d/root.add_data.sh
remove profile - apparmor_parser -R /etc/apparmor.d/root.add_data.sh

Linux Capabilities

getcap /usr/bin/ping
getpcaps 779

Previous1. Cluster Setup and Hardening Next3. Minimize Microservice Vulnerabilities

Last updated 1 year ago

metadata:
  name: hello-apparmor
  annotations:
    # Tell Kubernetes to apply the AppArmor profile "k8s-apparmor-example-deny-write".
    container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write