3. Minimize Microservice Vulnerabilities

Security Contexts

securityContext:
  runAsUser: 1000
  runAsGroup: 3000
  fsGroup: 2000
  fsGroupChangePolicy: "OnRootMismatch"

Admission Controllers

--enable-admission-plugins=NodeRestriction,NamespaceExists
--disable-admission-plugins=NodeRestriction,NamespaceAutoProvision

Validating and Mutating Admission Controllers

MutatingAsmissionWebhook
ValidatingAdmissionWebhook
Deploy Webhook Server

Pod Security Admission (Pod Security Policy Admission Controller)

--enable-admission-plugins=PodSecurityPolicy

Open Policy Agent

Rego - policy language
Rego Playground
Policy Testing
How Netflix Is Solving Authorization Across Their Cloud https://youtu.be/R6tUNpRpdnY
Open Policy Agent Deep Dive https://youtu.be/4mBJSIhs2xQ

OPA in Kubernetes

kube-mgmt

Manage Kubernetes secrets

Vault provider - https://github.com/hashicorp/vault-csi-provider

Encrypting Secret Data at Rest

Container Sandboxing

gVisor

Kata Containers (lightweight vm)

Container Runtime

runc (containerd-io), runsc (gVisor), kata (Kata)

mTLS

Istio
Linkerd

Previous2. System Hardening Next4. Supply Chain Security

Last updated 2 years ago

hashtagSecurity Contexts

hashtagAd

hashtagAdmission Controllers

hashtagValidating and Mutating Admission Controllers

hashtagPod Security Admission (Pod Security Policy Admission Controller)

hashtagOpen Policy Agent

hashtagOPA in Kubernetes

hashtagManage Kubernetes secrets

hashtagEncrypting Secret Data at Rest

hashtagContainer Sandboxing

hashtaggVisor

hashtagKata Containers (lightweight vm)

hashtagContainer Runtime

hashtagmTLS

Security Contexts

Ad

Admission Controllers

Validating and Mutating Admission Controllers

Pod Security Admission (Pod Security Policy Admission Controller)

Open Policy Agent

OPA in Kubernetes

Manage Kubernetes secrets

Encrypting Secret Data at Rest

Container Sandboxing

gVisor

Kata Containers (lightweight vm)

Container Runtime

mTLS