Ctrlk

3. Minimize Microservice Vulnerabilities

Security Contexts

securityContext:
  runAsUser: 1000
  runAsGroup: 3000
  fsGroup: 2000
  fsGroupChangePolicy: "OnRootMismatch"

Ad

Admission Controllers

--enable-admission-plugins=NodeRestriction,NamespaceExists
--disable-admission-plugins=NodeRestriction,NamespaceAutoProvision

Validating and Mutating Admission Controllers

MutatingAsmissionWebhook
ValidatingAdmissionWebhook
Deploy Webhook Server

Pod Security Admission (Pod Security Policy Admission Controller)

--enable-admission-plugins=PodSecurityPolicy

Open Policy Agent

Rego - policy language
Rego Playground
Policy Testing
How Netflix Is Solving Authorization Across Their Cloud https://youtu.be/R6tUNpRpdnY
Open Policy Agent Deep Dive https://youtu.be/4mBJSIhs2xQ

OPA in Kubernetes

kube-mgmt

Manage Kubernetes secrets

Vault provider - https://github.com/hashicorp/vault-csi-provider

Encrypting Secret Data at Rest

Container Sandboxing

gVisor

Kata Containers (lightweight vm)

Container Runtime

runc (containerd-io), runsc (gVisor), kata (Kata)

mTLS

Istio
Linkerd

Previous2. System Hardening Next4. Supply Chain Security

Last updated 2 years ago