AKS Azure

Azure Kubernetes Service – Enhanced Kubernetes cluster pod security baseline standards for Linux-based workloads

img

This example builds upon existing Pod Security baseline with enhancements, and provides means to manage the initiative as code using GitHub actions. (You can also create manually the initiative, but this guide does not have instructions for manual workflow)

Review the example here https://github.com/jsa2/AKSPodSecurity

Mapping to Azure Policy and specification

The below table highlights healthy, and un-healthy settings examples spec

itemstatusYAML
Pods should run as non-root /non-privilegedspec.securityContext
privileged: false
runAsNonRoot:true
allowPrivilegeEscalation: false
Pod Filesystem access should be read-only or limited only for specifed writesspec.securityContext
readOnlyRootFilesystem: true
Pod actions should be limited with appArmormetadata.annotations
container.apparmor.security.beta.kubernetes.io/v5: runtime/default
Pod should be disabled for automation of API credentialsspec
automountServiceAccountToken: false
Pod hostPath mounts should only allow predefined mounts, and preferably not used at all (By default Azure Policy audits all hostPath mounts as non compliant, to block hostPath mounts the policy needs to be changed)spec.Volumes
hostPath: <Only allowed values here defined in Azure Policy>
MS direct reference To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.Should not define use of ’true’ in following settings spec.hostPID
hostPID:
spec.hostIPC
hostIPC:
MS direct reference Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host networkShould not define use of ’true’ in following settings
spec
hostNetwork:

0 comments on “Azure Kubernetes Service – Enhanced Kubernetes cluster pod security baseline standards for Linux-based workloads

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: