Many day-to-day users of Kubernetes call it a win just to have their applications successfully up-and-running without any errors. Any further thoughts of best practices or security often gets pushed to the back burner. With a little extra grooming of a default Kubernetes cluster, its security posture can be significantly strengthened. Learning to store secrets properly, limiting open networks and constructing containers that aren’t over-privileged becomes a must when dealing with production environments at scale.
This talk will focus around the default insecurities present in a Kubernetes cluster and 5 practical implementations that can be put in place to secure it. We’ll look at etcd and how it stores the cluster’s configuration data, including insecure secrets. We’ll discuss unrestricted pod-to-pod access and network policies, as well as enforcement of mutual TLS to encrypt internal traffic. Finally, we’ll take a look at pod-level security and best practices on that level, as well as securing access and RBAC/ABAC into the cluster itself. Users of Kubernetes will walk away with practical tools they can use immediately to tighten up the security of clusters in their own environments.