Protection des environnements Kubernetes
Kubernetes is based on a cloud-native architecture, and draws on advice from the CNCF about good practice for cloud native information security.
Read Cloud Native Security and Kubernetes for the broader context about how to secure your cluster and the applications that you're running on it.
Kubernetes includes several APIs and security controls, as well as ways to define policies that can form part of how you manage information security.
A key security mechanism for any Kubernetes cluster is to control access to the Kubernetes API.
Kubernetes expects you to configure and use TLS to provide data encryption in transit within the control plane, and between the control plane and its clients.
You can also enable encryption at rest for the data stored within Kubernetes control plane; this is separate from using encryption at rest for your own workloads' data, which might also be a good idea.
The Secret API provides basic protection for configuration values that require confidentiality.
Enforce Pod security standards to ensure that Pods and their containers are isolated appropriately.
You can also use RuntimeClasses to define custom isolation if you need it.
Network policies let you control network traffic between Pods, or between Pods and the network outside your cluster.
You can deploy security controls from the wider ecosystem to implement preventative or detective controls around Pods, their containers, and the images that run in them.
Auditing Kubernetes audit logging provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster.
The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself.
You can define security policies using Kubernetes-native mechanisms, such as NetworkPolicy (declarative control over network packet filtering) or ValidatingAdmissionPolicy (declarative restrictions on what changes someone can make using the Kubernetes API).
Obtenez une visibilité de bout en bout sur les risques liés aux containers à chaque étape du cycle de vie de votre application, du code et de la création au déploiement et au runtime.
Identifiez les chemins d’attaque les plus critiques en reliant les risques entre les containers, les clusters et les environnements cloud.
Intégrez des garde-fous de sécurité directement dans votre pipeline CI/CD afin que les développeurs puissent avancer rapidement sans goulots d’étranglement ni retards.