tam7t/securing-kubernetes.md

## securing-kubernetes.md

      
    Raw
  

              securing-kubernetes.md
            
          
    Resources for Securing Kubernetes

A work in progress collection of resources for securing a kubernetes cluster.
Architecture

A good understanding of the k8s architecture and automating operations of your
cluster is probably the best place to start:

https://github.com/kubernetes/kubernetes/blob/release-1.3/docs/design/security.md
https://github.com/kelseyhightower/kubernetes-the-hard-way

It should also be noted that the kubelet api has no authentications and allows for remote code execution (this is how kubectl exec works).

kubernetes/kubernetes#11816
http://kubernetes.io/docs/admin/master-node-communication/

Datastore


https://coreos.com/etcd/docs/latest/security.html
https://github.com/coreos/etcd/blob/master/Documentation/op-guide/security.md

Transport Security

Authorization


http://kubernetes.io/docs/admin/authorization/#rbac-mode

Image Registry


http://kubernetes.io/docs/user-guide/production-pods/#authenticating-with-a-private-image-registry
Image vulnerability management

https://jpetazzo.github.io/2015/05/27/docker-images-vulnerabilities/
https://github.com/coreos/clair


Runtime


https://docs.docker.com/engine/security/security/

Network Policies

Secret Storage


http://kubernetes.io/docs/user-guide/secrets/
http://kubernetes.io/docs/user-guide/secrets/#risks