Update Security.md
This commit is contained in:
Родитель
5ec55f5e52
Коммит
69e119e945
60
Security.md
60
Security.md
|
@ -24,24 +24,26 @@ The severity or importance of each topic is indicated by an emoji in the topic n
|
||||||
|
|
||||||
.
|
.
|
||||||
├── Separating environments
|
├── Separating environments
|
||||||
|
├── Setting up environments
|
||||||
|
│ ├── Setting up/ Validating virtual network
|
||||||
|
│ ├── Provisioning clusters
|
||||||
├── Securing a cluster
|
├── Securing a cluster
|
||||||
│ ├── Securing endpoints for api server and cluster nodes
|
│ ├── Securing endpoints for api server and cluster nodes
|
||||||
│ ├── Securing serviceAccounts and secrets
|
│ ├── Ensuring authentication and authorization
|
||||||
│ ├── Securing communication paths
|
│ ├── Setting up & keeping least privileged access for common tasks
|
||||||
│ ├── Monitoring and Auditing of security relevant events
|
│ ├── Create administrative boundaries(namespaces) between resources as sample
|
||||||
|
│ ├── Securing communication paths between namespaces (and nodes)
|
||||||
|
│ ├── Continous Monitoring and Auditing of security relevant events
|
||||||
│ ├── Running benchmarks and tests to validate cluster setup
|
│ ├── Running benchmarks and tests to validate cluster setup
|
||||||
|
│ ├── Regular maintenance, security and cleanup tasks
|
||||||
│ ├── Configuration best practices
|
│ ├── Configuration best practices
|
||||||
├── Ensuring authentication and authorization
|
|
||||||
│ ├── Configuring RBAC
|
|
||||||
│ ├── Service accounts
|
|
||||||
│ ├── Automating setup/ maintenance tasks
|
|
||||||
├── Securing workloads
|
├── Securing workloads
|
||||||
|
│ ├── DenyEscalatingExec, Pod identities, security contexts and pod security policies
|
||||||
|
│ ├── Securing serviceAccounts and secrets
|
||||||
|
│ ├── Network segmentation (Ingress/ Egress)
|
||||||
│ ├── Secure images and admission controller
|
│ ├── Secure images and admission controller
|
||||||
│ ├── Pod identities, security contexts and pod security policies
|
│ ├── Container sandboxes
|
||||||
│ ├── Network segmentation
|
│ ├── Managing secrets and privileged information
|
||||||
├── Special topics
|
|
||||||
│ ├── Private clusters?
|
|
||||||
│ ├── Forced tunneling
|
|
||||||
└── Links
|
└── Links
|
||||||
|
|
||||||
## Separating environments
|
## Separating environments
|
||||||
|
@ -49,44 +51,48 @@ The severity or importance of each topic is indicated by an emoji in the topic n
|
||||||
> Concepts that can be applied to ensure security isolation for different workloads
|
> Concepts that can be applied to ensure security isolation for different workloads
|
||||||
> Separating Subscriptions, Resource Groups, Azure RBAC, Service Accounts and Secrets
|
> Separating Subscriptions, Resource Groups, Azure RBAC, Service Accounts and Secrets
|
||||||
|
|
||||||
- [ ] :fire: Cluster vs Namespace isolation
|
- [ ] :fire: Cluster vs Nodes vs Namespace isolation
|
||||||
- [ ] :fire: Azure service principals and MSI
|
- [ ] :fire: Azure service principals and MSI
|
||||||
- [ ] :cloud: Dedicated nodes / hyper-v isolation on Nodes
|
- [ ] :cloud: Dedicated nodes / hyper-v isolation on Nodes
|
||||||
|
|
||||||
|
## Setting up environments
|
||||||
|
|
||||||
|
>
|
||||||
|
|
||||||
|
- [ ] :fire: Inbound/ Outbound traffic (Forced Tunneling)
|
||||||
|
- [ ] :fire: Setting up RBAC
|
||||||
|
|
||||||
## Securing a cluster
|
## Securing a cluster
|
||||||
|
|
||||||
> Understanding the cluster attack surface
|
> Understanding the cluster attack surface
|
||||||
> Securing Service Accounts and secrets
|
> Concepts that can be applied to configure and bootstrap authentication in azure
|
||||||
|
> Minimizing the blast radius by applying least priviliges inside and outside the cluster
|
||||||
> Securing and maintaining host vms
|
> Securing and maintaining host vms
|
||||||
> Monitoring and securing security events and logs
|
> Monitoring and securing security events and logs
|
||||||
|
|
||||||
- [ ] :boom: Master Endpoint security in AKS / ACS-Engine
|
- [ ] :boom: Master Endpoint security in AKS / ACS-Engine
|
||||||
- [ ] :boom: Securing access to host vms
|
- [ ] :boom: Securing access to host vms
|
||||||
|
- [ ] :boom: Configure RBAC
|
||||||
|
- [ ] :boom: Continous security using tools like Aqua, NeuVektor, Twistlock, SysDig
|
||||||
|
- [ ] :boom: Configure "dev" namespaces with permissions, rolebindings resource quotas and users
|
||||||
- [ ] :boom: Upgrading and mainting hosts, apparmor, linux capabilities filter, os security patching
|
- [ ] :boom: Upgrading and mainting hosts, apparmor, linux capabilities filter, os security patching
|
||||||
- [ ] :fire: Evaluation of security benchbmarks like KubeBench / CSI
|
- [ ] :fire: Evaluation of security benchbmarks like KubeBench / CSI
|
||||||
|
- [ ] :cloud: Maintenance of certificate and key rotation, cleanup of docker registry
|
||||||
- [ ] :cloud: Security Impact of activating addons and dashboard
|
- [ ] :cloud: Security Impact of activating addons and dashboard
|
||||||
- [ ] :cloud: Encrypted service to service communication
|
- [ ] :cloud: Encrypted service to service communication across nodes
|
||||||
- [ ] :cloud: Service Endpoints for PaaS Service lockdown
|
- [ ] :cloud: Service Endpoints for PaaS Service lockdown
|
||||||
|
|
||||||
|
|
||||||
## Ensuring Authentication/ Authorization
|
|
||||||
|
|
||||||
> Concepts that can be applied to configure and bootstrap authentication in azure
|
|
||||||
> Understanding Azure AD setup and the risk impact on security
|
|
||||||
> Minimizing the blast radius by applying least priviliges inside and outside the cluster
|
|
||||||
|
|
||||||
- [ ] :fire: Azure AD Service Accounts and Groups
|
|
||||||
- [ ] :fire: Maintaining Secrets
|
|
||||||
|
|
||||||
## Securing Workloads
|
## Securing Workloads
|
||||||
|
|
||||||
> Understanding the attack surface from container images and laying out Microsoft 1st party and ecosystem options
|
> Understanding the attack surface from container images and laying out Microsoft 1st party and ecosystem options
|
||||||
> Defining Pod security and ensuring minimal attack surface and good security default on apps
|
> Defining Pod security and ensuring minimal attack surface and good security default on apps
|
||||||
> Isolating ingoing and outgoing traffic and monitoring relevant behaviour
|
> Isolating ingoing and outgoing traffic and monitoring relevant behaviour
|
||||||
|
|
||||||
- [ ] :fire: Image scanning in azure container registry and third party products like Twistlock, Neuvektor and Aqua
|
- [ ] :fire: Image scanning in azure container registry, ValidatingAdmissionWebhook and third party products like Twistlock, Neuvektor and Aqua
|
||||||
- [ ] :cloud: Ensuring adimission controllers/ pod security policies, privileged pods, runasroot, volumes, fsGroups, hostports on AKS / ACS-Engine
|
- [ ] :cloud: Ensuring DenyEscalatingExec adimission controllers/ pod security policies, privileged pods, runasroot, volumes, fsGroups, hostports on AKS / ACS-Engine
|
||||||
- [ ] :cloud: Capabilities of filtering network traffic with policies, azure firewall or network appliances
|
- [ ] :cloud: Capabilities of filtering network traffic with policies, azure firewall or network appliances
|
||||||
|
- [ ] :cloud: Container sandboxes, gVisor, kataContainers
|
||||||
|
- [ ] :fire: Maintaining secrets in HashiCorpVaul, Azure KeyVault, Azure KMS Plugin
|
||||||
|
|
||||||
## Links
|
## Links
|
||||||
> Good documentation that should be references
|
> Good documentation that should be references
|
||||||
|
|
Загрузка…
Ссылка в новой задаче