what security test need to do when move to k8s

introducetion

here I want to share the cyber security test method for my company when move to k8s.

if you use the k8s correctly, the cyber security risk will be lower than the traditional IDC.
ps: if you found the difference between them is slight, maybe your company or security policy is wrong on using the k8s.

Infrastructure security

this part is for the k8s security(endpoint security and the plugins(Component) security)

component_name use open port visit url version
API Server API server 8443 https:/example.com:8443/ 2.0
third party Component
component_name use open port visit url version
API Server API server 8443 https:/example.com:8443/ 3.0

application(support) component and service security

  1. check the weak default credential
  2. check the system whether exist the known vulnerability(CVE)
  3. check the network policy(too much authority)
    • cross the namespace
    • access the k8s mangament server

there will many support(devops,monitor,big data infrastructure(hadoop)) will desploy on k8s.
so you need to check the config is security or not

devops
system_name use change credential or not visit url version
jenkis jenkins yes/no https://jenkis.example.com 4.0
big data
system_name use change_credential_or_not visit url version
hadoop hadoop yes/no https://hadoop.example.com 1.0

network security policy

there are two rules

  1. ban the pod connect the public network by default.
  2. different namespaces pod can’t connect by default

of course, there are some server can’t deslpoy on k8s for many reasons.
so the network policy should be careful.

user credential check

  1. the complexity of password should have.
  2. the SSO server(LDAP) should log the user login(ip,time,UA)

k8s core endpoint monitor

if the k8s is compromised, all the pods can be took control. so keep monitor to the k8s core endpoint is quite important. especially the API server endpoint.