AKS Azure

Azure Kubernetes Service – Enhanced Kubernetes cluster pod security baseline standards for Linux-based workloads


This example builds upon existing Pod Security baseline with enhancements, and provides means to manage the initiative as code using GitHub actions. (You can also create manually the initiative, but this guide does not have instructions for manual workflow)

Review the example here https://github.com/jsa2/AKSPodSecurity

Mapping to Azure Policy and specification

The below table highlights healthy, and un-healthy settings examples spec

Pods should run as non-root /non-privilegedspec.securityContext
privileged: false
allowPrivilegeEscalation: false
Pod Filesystem access should be read-only or limited only for specifed writesspec.securityContext
readOnlyRootFilesystem: true
Pod actions should be limited with appArmormetadata.annotations
container.apparmor.security.beta.kubernetes.io/v5: runtime/default
Pod should be disabled for automation of API credentialsspec
automountServiceAccountToken: false
Pod hostPath mounts should only allow predefined mounts, and preferably not used at all (By default Azure Policy audits all hostPath mounts as non compliant, to block hostPath mounts the policy needs to be changed)spec.Volumes
hostPath: <Only allowed values here defined in Azure Policy>
MS direct reference To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.Should not define use of ’true’ in following settings spec.hostPID
MS direct reference Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host networkShould not define use of ’true’ in following settings

0 comments on “Azure Kubernetes Service – Enhanced Kubernetes cluster pod security baseline standards for Linux-based workloads


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: