Know-How
Kubernetes Security Hardening
Výchozí konfigurace Kubernetes není bezpečná. RBAC, network policies, pod security standards — minimum pro produkci.
RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-reader
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-reader-binding
subjects:
- kind: ServiceAccount
name: app-sa
roleRef:
kind: Role
name: app-reader
Pod Security
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector: {}
policyTypes: [Ingress, Egress]
Klíčový takeaway
RBAC, network policies, pod security standards, secrets encryption. Audit s kube-bench.