Link to this headingHardening
Hardening Guide:
- Close unused ports
- Use NodeRestriction to prevent specific nodes from modifying parts of the API
- Don’t allow anonymous requests
- Avoid ApiServer exposure to the internet.
- Set up PodSecurityContext:
- Set runAsNonRoot to True
- Configure runAsUser
- Limit permissions by specifying seLinuxOptions and seccompProfile
- Do NOT grant privileged group access via runAsGroup and supplementaryGroups
- SecurityContext
- allowPrivilegeEscalation = False
- Remove capabilities you don’t need
- privileged = False
- readOnlyRootFilesystem = True (if possible)
- Set runAsNonRoot to True and set a runAsUser