Penetration Testing and Best Practices for Securing Your Cluster
Protect Your Kubernetes Environment from Hackers with Expert Tips on Restricting Pod Communication, Seccomp Profiles, and Linux Capabilities Whitelist.
From article at Kubernetes Security: The Ultimate Guide to Penetration Testing and Best Practices for Securing Your Cluster.
- Pods
- Service
- Network Policy
- Seccomp Profiles
#client
apiVersion: v1
kind: Pod
metadata:
name: client
spec:
containers:
- name: busybox
image: busybox
command: ['sleep', '3600']
---
# The server
apiVersion: v1
kind: Pod
metadata:
name: server
spec:
containers:
- name: busybox
image: busybox
command: ['httpd', '-f', '-h', '/var/www/']
apiVersion: v1
kind: Service
metadata:
name: httpd-service
spec:
selector:
app: httpd
ports:
- name: http
port: 80
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: pod-to-pod
spec:
podSelector:
matchLabels:
app: busybox
ingress:
- from:
- podSelector:
matchLabels:
app: busybox
ports:
- port: 80
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
name: my-rebel-pod
spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: my-rebel-seccomp-profile.json
containers:
- name: my-rebel-container
image: busybox
command: ["sh", "-c", "echo Hello, World!"]
securityContext:
capabilities:
drop:
- ALL
add:
- NET_ADMIN
- SYS_TIME