Work in progress...

There is not that much security best practices in place by default with your Kubernetes clusters and your containers, let’s see what you need to do by yourself to mitigate this.

Containers

• Multistage container build
• Minimal base image (alpine, distroless)
• Vulnerabilities scanning
• Non-root user

Kubernetes

• PSA
• SecComp profile
• Restrict privilege Security Context
• Set Pod resources limits

Istio

• Istio CNI
• Sidecar proxy image distroless
• mTLS STRICT
• AuthorizationPolicies
• Ingress Gateway

Kubernetes NetworkPolicies

• Deny all ingress and egress per namespace
• Add fine granular ingress and egress access per Pod

Kubernetes Policies

• OPA Gatekeeper
• Kyverno

Google Kubernetes Engine (GKE)

• Private API server endpoint
• De-privilege default node service accounts
• Private nodes with Cloud NAT for egress
• Shielded nodes
• Confidential nodes
• COS-containerd nodes image
• Nodes auto-update
• Workload Identity to bridge Kubernetes IAM with Google Cloud IAM
• Encrypt etcd
• Dataplane V2 with NetworPolicies logging
• Protect public ingress with Cloud Armor (DDOS and WAF) and Managed Certificates
• Managed Controlplane and Dataplane for Anthos Service Mesh
• Security Posture dashboard (container configurations and images scanning)
• Anthos Security Insights dashboard

Resources

• Threat Matrix for Kubernetes
• OWASP Kubernetes Top Ten
• CIS Benchmark for Kubernetes
• Harden your GKE cluster’s Security
• Bridgecrew policies