Work in progress...
There is not that much security best practices in place by default with your Kubernetes clusters and your containers, let’s see what you need to do by yourself to mitigate this.
- Multistage container build
- Minimal base image (alpine, distroless)
- Vulnerabilities scanning
- Non-root user
- PSA
- SecComp profile
- Restrict privilege Security Context
- Set Pod resources limits
- Istio CNI
- Sidecar proxy image distroless
- mTLS STRICT
- AuthorizationPolicies
- Ingress Gateway
- Deny all ingress and egress per namespace
- Add fine granular ingress and egress access per Pod
- OPA Gatekeeper
- Kyverno
- Private API server endpoint
- De-privilege default node service accounts
- Private nodes with Cloud NAT for egress
- Shielded nodes
- Confidential nodes
- COS-containerd nodes image
- Nodes auto-update
- Workload Identity to bridge Kubernetes IAM with Google Cloud IAM
- Encrypt etcd
- Dataplane V2 with NetworPolicies logging
- Protect public ingress with Cloud Armor (DDOS and WAF) and Managed Certificates
- Managed Controlplane and Dataplane for Anthos Service Mesh
- Security Posture dashboard (container configurations and images scanning)
- Anthos Security Insights dashboard