Many day-to-day users of Kubernetes call it a win just to have their applications successfully up-and-running without any errors. Any further thoughts of best practices or security often gets pushed to the back burner. With a little extra grooming of a default Kubernetes cluster, its security posture can be significantly strengthened. Learning to store secrets properly, limiting open networks and constructing containers that aren’t over-privileged becomes a must when dealing with production environments at scale. This talk will focus around the default insecurities present in a Kubernetes cluster and 5 practical implementations that can be put in place to secure it. We’ll look at etcd and how it stores the cluster’s configuration data, including insecure secrets. We’ll discuss unrestricted pod-to-pod access and network policies, as well as enforcement of mutual TLS to encrypt internal traffic. Finally, we’ll take a look at pod-level security and best practices on that level, as well as securing access and RBAC/ABAC into the cluster itself. Users of Kubernetes will walk away with practical tools they can use immediately to tighten up the security of clusters in their own environments.
Presented by: Teleport