Výchozí konfigurace Kubernetes není bezpečná. RBAC, network policies, pod security standards — minimum pro produkci.
RBAC¶
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-reader rules: - apiGroups: [“”] resources: [“pods”, “services”] verbs: [“get”, “list”]
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-reader-binding subjects: - kind: ServiceAccount name: app-sa roleRef: kind: Role name: app-reader
Pod Security¶
apiVersion: v1 kind: Pod spec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: app securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: [“ALL”]
Network Policies¶
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: [Ingress, Egress]
Key Takeaway¶
RBAC, network policies, pod security standards, secrets encryption. Audit s kube-bench.