Using CheatSheets To Apply Best Practices

Cheatsheet: Kubernetes Security

Cheatsheet: Kubernetes Security

1.1 Summary

Name Summary
Kubernetes RBAC Kubernetes API Security
Pod Security Policy enable fine-grained authorization of pod creation and updates.
Pod security context  
Admission Controls Intercepts requests to the Kubernetes API server prior to persistence of the object
Network security policy a specification of how groups of pods are allowed to communicate with each other.
Linux capabilities Allow you to break apart the power of root into smaller groups of privileges
Kubelet authentication/authorization  
AppArmor a Linux kernel security module: reduce application attack surface
Sandboxed Pods & gVisor  

1.2 Regulations

Name Summary
GDPR EU General Data Protection Regulation
PCI DSS Payment Card Industry Data Security Standard

1.3 Basic Concepts

Name Summary
IdM Identity Management
AuthN vs AuthZ Authentication vs Authorization
OAuth vs OpenID OAuth: Open Authorization; OpenID: an authentication mechanism
OAuth vs OAuth2  
Malware short for “malicious software”
virus Infects other programs, caryying out malicious missions
worm It doens’t need to infect another program. It performs and replicates by itself automatically
trojan horse A program that contains malware like a virus or worm
ransomware A link of attachment executes a malware to encrypt your system and demand a ransom
vishing A common type of social engineering that is done over the phone
phishing A common type of social engineering that fools you to respond to a malicious email
Data classifications levels Restricted, Private/Protected, Confidential, Public
PII Personally identifiable information

1.4 Security – PodSecurityPolicy

  • A PodSecurityPolicy is a cluster-level resource that controls security sensitive aspects of the pod specification.
Yaml Summary
podsecurity/securitycontext-user.yaml Configure userid, at both pod and container levels
podsecurity/podsecurity-privileged.yaml Create pod security with privileged access
podsecurity/podsecurity-restricted.yaml Create pod security with restricted access, then apply it later
podsecurity/podsecurity-enforce.yaml Enforce policy security by defining role and cluster role
podsecurity/podsecurity-advanced.yaml A more complicated definition of pod security policy
podsecurity/podsecurity-example.yaml A full example with everything included
Reference Link: Kubernetes Yaml Templates, Link: kubectl cheatsheet

1.5 Security – NetworkPolicy

1.6 Admission Controllers

  • An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object


Name Summary
Example: admission webhook GitHub: denyenv-validating-admission-webhook
Example: Admission controller for guarding namespace GitHub: k8s-namespace-guard

1.7 More Resources

License: Code is licensed under MIT License.


Leave a Reply

Your email address will not be published. Required fields are marked *