<!DOCTYPE html><html lang="en" prefix="og: http://ogp.me/ns#"><head><script type="text/javascript" src="https://web-static.archive.org/_static/js/bundle-playback.js?v=7YQSqjSh" charset="utf-8"></script> <script type="text/javascript" src="https://web-static.archive.org/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="https://web-static.archive.org/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://www.stackrox.com/post/2019/09/12-kubernetes-configuration-best-practices/","20210304001924","https://web.archive.org/","web","https://web-static.archive.org/_static/", "1614817164"); </script> <link rel="stylesheet" type="text/css" href="https://web-static.archive.org/_static/css/banner-styles.css?v=p7PEIJWi" /> <link rel="stylesheet" type="text/css" href="https://web-static.archive.org/_static/css/iconochive.css?v=3PDvdIFv" /> <!-- End Wayback Rewrite JS Include --> <meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="description" content="Learn about Kubernetes configurations best practices in 12 areas: API server, kubelet, etcd, network policies, pod security policies, master node, worker node, and more"><meta http-equiv="Accept-CH" content="DPR, Viewport-Width, Width"><link rel="apple-touch-icon" sizes="180x180" href="/web/20210304001924im_/https://www.stackrox.com/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/web/20210304001924im_/https://www.stackrox.com/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/web/20210304001924im_/https://www.stackrox.com/favicon-16x16.png"><link rel="manifest" href="/web/20210304001924/https://www.stackrox.com/manifest.json"><link rel="mask-icon" href="/web/20210304001924im_/https://www.stackrox.com/safari-pinned-tab.svg" color="#5bbad5"><meta name="theme-color" content="#ffffff"><meta property="og:type" content="website"><meta property="og:title" content="12 Kubernetes configuration best practices | StackRox: Kubernetes and container security solution"><meta property="og:description" content="Learn about Kubernetes configurations best practices in 12 areas: API server, kubelet, etcd, network policies, pod security policies, master node, worker node, and more"><meta property="og:site_name" content="StackRox: Kubernetes and container security solution"><meta property="og:url" content="https://web.archive.org/web/20210304001924/https://www.stackrox.com/post/2019/09/12-kubernetes-configuration-best-practices/"><meta property="og:type" content="article"><meta property="article:publisher" content="https://www.facebook.com/GoStackRox/"><meta property="og:image" content="https://web.archive.org/web/20210304001924im_/https://res.cloudinary.com/stackrox/v1569543604/12-k8s-config-best-practices-blog-banner_bsb95m.jpg"><meta property="og:image:secure_url" content="https://res.cloudinary.com/stackrox/v1569543604/12-k8s-config-best-practices-blog-banner_bsb95m.jpg"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:image" content="https://web.archive.org/web/20210304001924im_/https://res.cloudinary.com/stackrox/v1569543604/12-k8s-config-best-practices-blog-banner_bsb95m.jpg"><meta name="twitter:title" content="12 Kubernetes configuration best practices"><meta name="twitter:description" content="Learn about Kubernetes configurations best practices in 12 areas: API server, kubelet, etcd, network policies, pod security policies, master node, worker node, and more"><meta name="twitter:creator" content="@stackrox"><script src="https://web.archive.org/web/20210304001924js_/https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="79c9f48f-6717-4101-a15b-9713bb92f46a"></script><script type="text/javascript">function OptanonWrapper() { }</script><style>.async-hide {opacity: 0 !important}</style><script>var optimizeEnabled = false;</script><script async src="https://web.archive.org/web/20210304001924js_/https://www.googletagmanager.com/gtag/js?id=UA-59161668-1"></script><script>window.dataLayer = window.dataLayer || [] function gtag(){dataLayer.push(arguments)} gtag('js', new Date())</script><script>function tagman(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://web.archive.org/web/20210304001924/https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); }</script><script>!function(w,d){if(!w.rdt){var p=w.rdt=function(){p.sendEvent?p.sendEvent.apply(p,arguments):p.callQueue.push(arguments)};p.callQueue=[];var t=d.createElement("script");t.src="https://web.archive.org/web/20210304001924/https://www.redditstatic.com/ads/pixel.js",t.async=!0;var s=d.getElementsByTagName("script")[0];s.parentNode.insertBefore(t,s)}}(window,document);rdt('init','t2_4przlgfg');rdt('track', 'PageVisit');</script><link rel="canonical" href="https://web.archive.org/web/20210304001924/https://www.stackrox.com/post/2019/09/12-kubernetes-configuration-best-practices/"><title>12 Kubernetes configuration best practices | StackRox</title><link href="/web/20210304001924cs_/https://www.stackrox.com/css/app.css" rel="stylesheet"><script type="text/javascript">var customPath = "/fonts/";</script><script type="text/javascript" src="/web/20210304001924js_/https://www.stackrox.com/fonts/webfonts/MyFontsWebfontsKit.js"></script><script src="https://web.archive.org/web/20210304001924js_/https://www.google.com/recaptcha/api.js"></script><script src="//web.archive.org/web/20210304001924js_/https://app-sj25.marketo.com/js/forms2/js/forms2.min.js"></script><script type="application/ld+json">{ "@context": "https://web.archive.org/web/20210304001924/http://schema.org", "@type": "NewsArticle", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://web.archive.org/web/20210304001924/https://google.com/article" }, "headline": "12 Kubernetes configuration best practices", "image": [ "https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/v1569543604/12-k8s-config-best-practices-blog-banner_bsb95m.jpg" ], "author": { "@type": "Person", "name": "Ajmal Kohgadai" }, "publisher": { "@type": "Organization", "name": "StackRox, Inc.", "logo": { "@type": "ImageObject", "url": "https://web.archive.org/web/20210304001924/https://www.stackrox.com/img/stackrox-logo.png" } }, "description": "Learn about Kubernetes configurations best practices in 12 areas: API server, kubelet, etcd, network policies, pod security policies, master node, worker node, and more" }</script></head><body data-hello-bar="true"><div class="headers"><div class="hello-bar bg-chestnut-rose-semi text-center align-content-middle"><div class="row align-middle"><div class="column"><div class="mod"><span>Gartner Report - Market Guide for Cloud Workload Protection Platforms (CWPP)</span> <a class="show-for-medium button" target="_blank" rel="nofollow noopener" href="https://web.archive.org/web/20210304001924/https://security.stackrox.com/gartner-report-market-guide-for-cwpp.html?Source=Website&amp;LSource=Website">Download Report &gt;</a></div></div><div class="column shrink"><a class="hide-for-medium button" target="_blank" rel="nofollow noopener" href="https://web.archive.org/web/20210304001924/https://security.stackrox.com/gartner-report-market-guide-for-cwpp.html?Source=Website&amp;LSource=Website"><img src="https://web.archive.org/web/20210304001924im_/https://d33wubrfki0l68.cloudfront.net/00013a2459dd06783b75462903a78d0a290d9ee6/d0c2f/img/arrow-right-circle.svg" alt="{ .link_text }}"></a></div></div></div><header class="masthead"><div class="row"><div class="logo-container column small-collapse-right"><a href="/web/20210304001924/https://www.stackrox.com/"><div class="logo"><span class="show-for-sr">StackRox</span></div></a></div><div class="columns shrink hide-for-medium"><a class="button no-nav-request" href="/web/20210304001924/https://www.stackrox.com/request-demo/"><span>Request Demo</span> </a><a href="#" class="header-button nav-handle hamburger hamburger--collapse show-for-small-only"><span class="show-for-sr">Navigation</span><div class="hamburger-box"><div class="hamburger-inner"></div></div></a></div><nav class="text-right column" role="navigation" data-navigation-handle=".nav-handle" data-navigation-content=".page" aria-label="main navigation"><ul class="main-menu"><li><a href="/web/20210304001924/https://www.stackrox.com/why-stackrox/">Why StackRox</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/platform/">Platform</a></li><li><a href="#">Solutions</a><ul class="mega-menu"><li class="mega-cols"><div><a class="menu-heading" href="#" tabindex="-1">Use Cases</a><ol><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/visibility/">Visibility</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/vulnerability-management/">Vulnerability Management</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/compliance/">Compliance</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/network-segmentation/">Network Segmentation</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/risk-profiling/">Risk Profiling</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/configuration-management/">Configuration Management</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/threat-detection/">Threat Detection</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/incident-response/">Incident Response</a></li></ol></div><div><a class="menu-heading" href="#" tabindex="-1">Environments</a><ol><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/aws-security/">AWS</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/microsoft-azure-security/">Azure</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/docker-security/">Docker</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/gke-security-for-google-cloud-platform/">Google Cloud Platform</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/red-hat-openshift-security/">Red Hat OpenShift</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/pks-security/">Pivotal Container Service (PKS)</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/rancher-security/">Rancher</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/federal-agencies/">Federal Agencies</a></li></ol></div></li></ul></li><li><a href="/web/20210304001924/https://www.stackrox.com/customers/">Customers</a></li><li><a href="#">Resources</a><ul class="mega-menu"><li class="mega-cols"><div><a class="menu-heading" href="#" tabindex="-1">Resources</a><ol><li><a href="/web/20210304001924/https://www.stackrox.com/assets/#whitepapers-and-reports">Whitepapers and Reports</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/assets/#demos-and-videos">Demos and Videos</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/assets/#case-studies">Case Studies</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/assets/#on-demand-webinars">On-Demand Webinars</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/assets/#data-sheets-solution-briefs">Data Sheets, Solution Briefs</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/assets/#infographics">Infographics</a></li></ol></div><div><a class="menu-heading" href="#" tabindex="-1">Featured Resources</a><ol><li><a href="/web/20210304001924/https://www.stackrox.com/kubernetes-native-security/">What is Kubernetes-native Security?</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/container-security-maturity-model/">Container Security Maturity Model</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/kubernetes-adoption-security-and-market-share-for-containers/">Kubernetes Security and Adoption Trends</a></li><li><a href="https://web.archive.org/web/20210304001924/https://www.stackrox.com/pci-compliance-in-kubernetes-environments/">Achieving PCI Compliance in Kubernetes</a></li></ol></div></li></ul></li><li><a href="#">Company</a><ul><li><a href="/web/20210304001924/https://www.stackrox.com/about/">About Us</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/team/">Team</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/partners/">Partners</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/news/#events">Upcoming Events</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/careers/">Careers</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/news/">Newsroom</a></li></ul></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/">Blog</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/wiki/">Wiki</a></li><li class="request-button"><a class="request-divider no-barba" href="https://web.archive.org/web/20210304001924/https://security.stackrox.com/request-a-demo.html"><span>Request Demo</span></a></li></ul></nav></div></header></div><div id="barba-wrapper"><div class="barba-container" data-author="Ajmal Kohgadai" data-pubdate="2019-09-26T07:00:00Z"><noscript><iframe src="https://web.archive.org/web/20210304001924if_/https://www.googletagmanager.com/ns.html?id=GTM-TWB7KDZ" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript><main class="page"><div id="content"><style>.blog-hero { background-image: url(https://web.archive.org/web/20210304001924im_/https://res.cloudinary.com/stackrox/fl_lossy,w_768,f_auto/v1569543604/12-k8s-config-best-practices-blog-banner_bsb95m.jpg); } @media print, screen and (min-width: 48em) { .blog-hero { background-image: url(https://web.archive.org/web/20210304001924im_/https://res.cloudinary.com/stackrox/fl_lossy,f_auto/v1569543604/12-k8s-config-best-practices-blog-banner_bsb95m.jpg); } }</style><section class="section bg-primary blog-hero" style="--opacity:0.8"><div class="row block-full-height align-middle align-center"><div class="small-12 medium-9 columns text-center block-no-margin"><h1>12 Kubernetes configuration best practices</h1></div></div></section><div class="row"><div class="small-12 large-9 columns blog-single"><article><div class="row collapse blog-callout"><div class="columns"><div class="mod"><a href="/web/20210304001924/https://www.stackrox.com/authors/akohgadai/"><img class="img-circle img-thumb cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_50,dpr_auto,c_scale,fl_lossy,f_auto/ajmal.jpg" alt="Author - Ajmal Kohgadai"> <span>Ajmal Kohgadai </span></a><time datetime="2019-09-26T07:00:00Z">Sep 26, 2019</time></div></div><div class="columns shrink"><div class="mod"><div class="button-group social-icons"><span class="hide-for-medium">Share: </span><a class="button button-facebook no-barba" href="https://web.archive.org/web/20210304001924/https://www.facebook.com/sharer/sharer.php?u=https%3a%2f%2fwww.stackrox.com%2fpost%2f2019%2f09%2f12-kubernetes-configuration-best-practices%2f" title="Share on Facebook" target="_blank" rel="nofollow noopener"><span class="show-for-sr">Share on Facebook</span> </a><a class="button button-linkedin no-barba" href="https://web.archive.org/web/20210304001924/https://www.linkedin.com/shareArticle?mini=true&amp;url=https%3a%2f%2fwww.stackrox.com%2fpost%2f2019%2f09%2f12-kubernetes-configuration-best-practices%2f" title="Share on LinkedIn" target="_blank" rel="nofollow noopener"><span class="show-for-sr">Share on LinkedIn</span> </a><a class="button button-twitter no-barba" href="https://web.archive.org/web/20210304001924/https://twitter.com/intent/tweet?text=12%20Kubernetes%20configuration%20best%20practices&amp;url=https%3a%2f%2fwww.stackrox.com%2fpost%2f2019%2f09%2f12-kubernetes-configuration-best-practices%2f&amp;hashtags=stackrox" title="Tweet this" target="_blank" rel="nofollow noopener"><span class="show-for-sr">Share on Twitter</span></a></div></div></div><hr></div><p>By now most of us have heard about the role <a href="https://web.archive.org/web/20210304001924/https://iapp.org/news/a/data-indicates-human-error-prevailing-cause-of-breaches-incidents/" target="_blank" rel="nofollow noopener">human error</a> plays in causing data breaches. The<a href="https://web.archive.org/web/20210304001924/https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/" target="_blank" rel="nofollow noopener"> Capital One breach</a> from July is just the latest in a long line of security incidents that can trace their success back to a misconfigured infrastructure or security setting. As organizations accelerate their use of containers and Kubernetes and move their application development and deployment to cloud platforms, preventing avoidable misconfigurations in their environment becomes increasingly crucial.</p><p>Fortunately, most organizations understand that containers and Kubernetes are just like previous waves of infrastructure, where security starts with a securely configured infrastructure. In a recent survey of IT and security practitioners, respondents identified<a href="/web/20210304001924/https://www.stackrox.com/kubernetes-adoption-and-security-trends-and-market-share-for-containers/"> user-driven misconfigurations</a> as their biggest concern for container security.</p><p>To help customers securely configure their Docker containers, we recently published our<a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/docker-security-101/"> Docker security 101 blog</a>. In this article, we will take a deep dive into key Kubernetes security configurations and recommended best practices you should follow.</p><p>It should be noted however that ensuring adherence to these best practices requires more than just knowing what they are. The level of success you have in consistently following these recommendations will also be determined by the degree to which you can automate the process of checking your environment for misconfigurations.</p><p>That’s because in a sprawling Kubernetes environment with several clusters spanning tens, hundreds, or even thousands of nodes, created by hundreds of different developers, manually checking the configurations is not feasible. And like all humans, developers can make mistakes – especially given that Kubernetes configuration options are complicated, security features are not enabled by default, and most of the community is learning how to effectively use components including Pod Security Policies and Security Context, Network Policies, RBAC, the API server, kubelet, and other Kubernetes controls.</p><p>As you and your teams come up to speed on all the details of Kubernetes security, follow these best practices to build a strong foundation:</p><h4 id="1-update-kubernetes-to-the-latest-version">1. Update Kubernetes to the latest version</h4><p>If you haven’t already done so, update your Kubernetes deployments to the latest version (1.16), which includes several <a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/kubernetes-1.16-important-features-for-operational-excellence/">new and exciting features</a>. Every new release is typically bundled with a host of different security features. Be sure to check out our blog post that highlights <a href="/web/20210304001924/https://www.stackrox.com/post/2019/01/critical-kubernetes-security-issues-resolved-in-recent-kubernetes-versions/">7 reasons</a> why you should upgrade Kubernetes to the latest version.</p><h4 id="2-use-pod-security-policies-to-prevent-risky-containerspods-from-being-used">2. Use Pod Security Policies to prevent risky containers/Pods from being used</h4><p><code>PodSecurityPolicy</code> is a cluster-level resources available in Kubernetes (via kubectl) that is highly recommended. You must enable the <code>PodSecurityPolicy</code> admission controller to use it. Given the nature of admission controllers, you must authorize at least one policy - otherwise no pods will be allowed to be created in the cluster.</p><p>Pod Security Policies address several critical security use cases, including:</p><ul><li>Preventing containers from running with privileged flag - this type of container will have most of the capabilities available to the underlying host. This flag also overwrites any rules you set using CAP DROP or CAP ADD.</li><li>Preventing sharing of host PID/IPC namespace, networking, and ports - this step ensures proper isolation between Docker containers and the underlying host</li><li>Limiting use of volume types - writable hostPath directory volumes, for example, allow containers to write to the filesystem in a manner that allows them to traverse the host filesystem outside the <code>pathPrefix</code>, so <code>readOnly: true</code> must be used</li><li>Putting limits on host filesystem use</li><li>Enforcing read only for root file system via the ReadOnlyRootFilesystem</li><li>Preventing privilege escalation to root privileges</li><li>Rejecting containers with root privileges</li><li>Restricting Linux capabilities to bare minimum in adherence with least privilege principles</li></ul><p>Some of these attributes can also be controlled via <code>securityContext</code>. You can learn more about security context <a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" target="_blank" rel="nofollow noopener">here</a>. However, it’s generally recommended that you shouldn’t customize the pod-level security context but should instead use Pod Security Policies (see Recommendation #6 on how to apply these controls).</p><p>You can learn more about Pod Security Policies <a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/concepts/policy/pod-security-policy/" target="_blank" rel="nofollow noopener">here</a>. You can learn more about admission controllers <a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/" target="_blank" rel="nofollow noopener">here</a> and <a href="/web/20210304001924/https://www.stackrox.com/post/2019/03/11-tips-to-operationalizing-kubernetes-admission-controllers-for-better-security/">here</a>.</p><section class="block block-promo-img block-promo bg-wave"><div class="row align-center align-middle block-full-height"><div class="column hide-for-small-only shrink block-no-margin align-content-middle"><img class="img-thumb cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_200,dpr_auto,c_scale,fl_lossy,f_auto/v1594160616/kubernetes-security-tips-tricks-bp-web-thumb_qbowyh.png" alt=""></div><div class="columns block-no-margin align-content-middle"><div><h2>Kubernetes security ebook - tips, tricks, best practices</h2><p>Download this ebook to learn how to secure your software supply chain, your Kubernetes infrastructure, and your running workloads</p><a target="_blank" rel="nofollow noopener" class="button" href="https://web.archive.org/web/20210304001924/https://security.stackrox.com/kubernetes-security-ebook-tips-tricks-best-practices.html?Source=Website&amp;LSource=Website">Download Today</a></div></div></div></section><h4 id="3-use-kubernetes-namespaces-to-properly-isolate-your-kubernetes-resources">3. Use Kubernetes namespaces to properly isolate your Kubernetes resources</h4><p>Namespaces give you the ability to create logical partitions and enforce separation of your resources as well as limit the scope of user permissions. You can learn more about namespaces <a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" target="_blank" rel="nofollow noopener">here</a>.</p><h4 id="4-use-network-policies-to-segment-and-limit-container-and-pod-communication">4. Use Network Policies to segment and limit container and pod communication</h4><p>Network Policies are used to determine how pods are allowed to communicate. Check out our blog post that takes a deep dive into building secure <a href="/web/20210304001924/https://www.stackrox.com/post/2019/04/setting-up-kubernetes-network-policies-a-detailed-guide/">Kubernetes Network Policies</a>.</p><h4 id="5-create-policies-to-govern-image-provenance-using-the-imagepolicywebhook">5. Create policies to govern image provenance using the ImagePolicyWebhook</h4><p>Prevent unapproved images from being used with the admission controller <code>ImagePolicyWebhook</code> to reject pods that use unapproved images including:</p><ul><li>Images that haven’t been scanned recently</li><li>Images that use a base image that’s not whitelisted</li><li>Images from insecure registries</li></ul><p>You can learn more about <code>ImagePolicyWebhook</code> <a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook" target="_blank" rel="nofollow noopener">here</a>.</p><h4 id="6-securely-configure-the-kubernetes-api-server">6. Securely configure the Kubernetes API server</h4><p>The Kubernetes API server handles all the REST API calls between external users and Kubernetes components.</p><p>Run the below command on your master node:</p><pre><code>ps -ef | grep kube-apiserver </code></pre><p>In the output, check to ensure that the:</p><ul><li><code>--anonymous-auth</code> argument shows as <code>false</code>. This setting ensures that requests not rejected by other authentication methods are not treated as anonymous and therefore allowed against policy.</li><li><code>--basic-auth-file</code> argument isn’t there. Basic auth uses plaintext credentials, instead of the preferred tokens or certificates, for authentication.</li><li><code>--insecure-allow-any-token</code> argument isn’t there. This setting will ensure that only secure tokens that are authenticated are allowed.</li><li>&ndash;<code>kubelet-https</code> argument either isn’t there or shows as <code>true</code>. This configuration ensures that connections between the API server and the kubelets are protected in transit via Transport Layer Security (TLS).</li><li><code>--insecure-bind-address</code> argument isn’t there. This configuration will prevent the API Server from binding to an insecure address, preventing non-authenticated and unencrypted access to your master node, which minimizes your risk of attackers potentially reading sensitive data in transit.</li><li><code>--insecure-port</code> argument shows as <code>0</code>. This setting will prevent the API Server from serving on an insecure port, which would prevent unauthenticated and unencrypted access to the master node and minimize the risk of an attacker taking control of the cluster.</li><li><code>--secure-port</code> argument either doesn’t exist or shows up as an integer between 1 and 65535. The goal here is to make sure all your traffic is served over https with authentication and authorization.</li><li><code>--profiling</code> argument shows as <code>false</code>. Unless you’re experiencing bottlenecks or need to troubleshoot something that needs investigation, there’s no need for the profiler, and having it there unnecessarily opens you to exposure of system and program details.</li><li><code>--repair-malformed-updates</code> argument shows as <code>false</code>. This setting will ensure that intentionally malformed requests from clients are rejected by the API Server.</li><li><code>--enable-admission-plugins</code> argument is set with a value that doesn’t contain <code>AlwaysAdmit</code>. If you configure this setting to always admit, then it will admit requests even if they’re not explicitly allowed by the admissions control plugin, which would decrease the plugin’s effectiveness.</li><li><code>--enable-admission-plugins</code> argument is set with a value that contains <code>AlwaysPullImages</code>. This configuration ensures that users aren’t allowed to pull images from the node to any pod by simply knowing the name of the image. With this control enabled, images will always be pulled prior to starting a container, which will require valid credentials.</li><li><code>--enable-admission-plugins</code> argument is set with a value that contains <code>SecurityContextDeny</code>. This control ensures that you can’t customize pod-level security context in a way not outlined in the Pod Security Policy. See the Pod Security Policy section (#2) for additional information on security context.</li><li><code>--disable-admission-plugins</code> argument is set with a value that does not contain <code>NamespaceLifecycle</code>. You don’t want to disable this control, because it ensures that objects aren’t created in non-existent namespaces or in those namespaces set to be terminated.</li><li><code>--audit-log-path</code> argument is set to an appropriate path where you want your audit logs to be stored. It’s always a good security practice to enable auditing for any Kubernetes components, when available, including the Kubernetes API server.</li><li>-<code>-audit-log-maxage</code> argument is set to <code>30</code> or whatever number of days you must store your audit log files to comply with internal and external data retention policies.</li><li><code>--audit-log-maxbackup</code> argument is set to <code>10</code> or any number that helps you meet your compliance requirements for retaining the number of old log files.</li><li><code>--audit-log-maxsize</code> argument is set to <code>100</code> or whatever number that helps you meet your compliance requirements. Note that number 100 represents 100 MB.</li><li><code>--authorization-mode</code> argument is there and is not set to <code>AlwaysAllow</code>. This setting ensures that only authorized requests are allowed by the API Server, especially in production clusters.</li><li><code>--token-auth-file</code> argument is not there. This argument, when present, uses static token-based authentication, which have several security flaws; use alternate authentication methods instead, such as certificates.</li><li><code>--kubelet-certificate-authority</code> argument is there. This setting helps prevent a man-in-the-middle attack when there’s a connection between the API Server and the kubelet.</li><li><code>--kubelet-client-certificate</code> and <code>--kubelet-client-key</code> arguments are there. This configuration ensures that the API Server authenticates itself to the kubelet’s HTTPS endpoints. (By default, the API Server doesn&rsquo;t take this step.)</li><li><code>--service-account-lookup</code> argument is there and set to <code>true</code>. This setting helps prevent an instance where the API Server verifies only the validity of the authentication token without ensuring that the service account token included in the request is present in etcd.</li><li><code>--enable-admission-plugins</code> argument is set to a value that contains <code>PodSecurityPolicy</code>. See above section on Pod Security Policies (#2) for more details.</li><li><code>--service-account-key-file</code> argument is there and is set to a separate public/private key pair for signing service account tokens. If you don’t specify public/private key pair, it will use the private key from the TLS serving certificate, which would inhibit your ability to rotate the keys for service account tokens.</li><li><code>--etcd-certfile</code> and <code>--etcd-keyfile</code> arguments are there so that the API server identifies itself to the etcd server using client cert and key. Note that etcd stores objects that are likely sensitive in nature, so any client connections must use TLS encryption.</li><li><code>--disable-admission-plugins</code> argument is set and doesn’t contain <code>ServiceAccount</code>. This configuration will make sure that when a new pod is created, it will not use a default service account within the same namespace.</li><li><code>--tls-cert-file</code> and <code>--tls-private-key-file</code> arguments are there such that the API Server serves only HTTPS traffic via TLS.</li><li><code>--client-ca-file</code> argument exists to ensure that TLS and client cert authentication is configured for Kube cluster deployments.</li><li><code>--etcd-cafile</code> argument exists and it is set such that the API Server must verify itself to the etcd server via SSL Certificate Authority file.</li><li><code>--tls-cipher-suites</code> argument is set in a way that uses strong crypto ciphers.</li><li><code>--authorization-mode</code> argument is there with a value containing <code>Node</code>. This configuration limits which objects kubelets can read associated with their nodes.</li><li><code>--enable-admission-plugins</code> argument is set and contains the value <code>NodeRestriction</code>. This plugin ensures that a kubelet is allowed to modify only its own Node API object and those Pod API objects associated to its node.</li><li><code>--encryption-provider-config</code> argument is set to a <code>EncryptionConfig</code> file and this file should have all the needed resources. This setting ensures that all the REST API objects stored in the etcd key-value store are encrypted at rest.</li><li>Make sure <code>aescbc</code> encryption provider is utilized for all desired resources as this provider of encryption is considered the strongest.</li><li><code>--enable-admission-plugins</code> argument contains the value <code>EventRateLimit</code> to set a limit on the number of events accepted by the API Server for performance optimization of the cluster.</li><li><code>--feature-gates</code> argument is not set with a value containing <code>AdvancedAuditing=false</code>. In other words, make sure advanced auditing is not disabled for auditing and investigation purposes.</li><li><code>--request-timeout</code> argument is either not set or set to an appropriate value (neither too short, nor too long). Default value is 60 seconds.</li><li><code>--authorization-mode</code> argument exists and is set to a value that includes <code>RBAC</code>. This setting ensures that Role-based access control (RBAC) is turned on. Beyond simply turning it on, you should follow <a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/5-kubernetes-rbac-mistakes-you-must-avoid/">several other recommendations</a> for how to best use Kubernetes RBAC, including:<ul><li>Avoid giving users cluster-admin role because it gives very broad powers over the environment and should be used very sparingly, if at all.</li><li>Audit your role aggregation rules to ensure you’re using them properly</li><li>Don’t grant duplicated permissions to subjects because it can make access revocation more difficult</li><li>Regularly remove unused Roles</li></ul></li></ul><h4 id="7-securely-configure-the-kube-scheduler">7. Securely configure the kube-scheduler</h4><p>As the default scheduler for Kubernetes, kube-scheduler selects the node that a newly created Pod should run on. You can learn more about kube-scheduler <a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/concepts/scheduling/kube-scheduler/" target="_blank" rel="nofollow noopener">here</a>.</p><p>Run the below command on your master node:</p><pre><code>ps -ef | grep kube-scheduler </code></pre><p>In the output, check to ensure that the:</p><ul><li><code>--profiling</code> argument is set to <code>false</code> so that you have a reduced attack surface. While profiling can be useful when you have a performance bottleneck by identifying the bottleneck, it can also be exploited to reveal details about your system.</li><li><code>--address</code> argument is set to 127.0.0.1 so that the scheduler is not bound to a non-loopback insecure address, since the scheduler API service is available without authentication or encryption.</li></ul><h4 id="8-securely-configure-the-kube-controller-manager">8. Securely configure the kube-controller-manager</h4><p>Run the below command on your master node:</p><pre><code>ps -ef | grep kube-controller-manager </code></pre><p>In the output, check to ensure that the:</p><ul><li><code>--terminated-pod-gc-threshold</code> argument is set to a value that ensures you have enough resources available and performance isn’t degraded.</li><li><code>--profiling</code> argument is set to <code>false</code>.</li><li><code>--use-service-account-credentials</code> argument is set to <code>true</code>. When combined with RBAC, this setting ensures that control loops run with minimum permissions required, in adherence with least privilege design principles.</li><li><code>--service-account-private-key-file</code> argument is set such that a separate public/private key pair is used for signing service account tokens.</li><li><code>--root-ca-file</code> argument exists and is set to a cert file containing the root cert for the API Server&rsquo;s serving cert, which will allow pods to verify the API Server’s serving cert before making a connection.</li><li><code>RotateKubeletServerCertificate</code> argument is there and set as <code>true</code>, and applies only when kubelets get their certs from the API Server.</li><li><code>--address</code> argument is set to 127.0.0.1, so that the controller manager service is not bound to non-loopback insecure addresses.</li></ul><h3 id="9-secure-the-configuration-files-on-the-master-node">9. Secure the configuration files on the master node</h3><h6 id="secure-the-api-server-pod-specification-file-permissions">Secure the API server pod specification file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-api-server-pod-specification-file-ownership">Secure the API Server pod specification file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-controller-manager-pod-specification-file-permissions">Secure the controller manager pod specification file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-controller-manager-pod-specification-file-ownership">Secure the controller manager pod specification file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-scheduler-pod-specification-file-permissions">Secure the scheduler pod specification file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-scheduler-pod-specification-file-ownership">Secure the scheduler pod specification file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-etcd-pod-specification-file-permissions">Secure the etcd pod specification file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/kubernetes/manifests/etcd.yaml </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file. As a reminder on a topic already discussed, etcd is a key-value store, and protecting it is of the utmost importance, since it contains your REST API objects.</p><h6 id="secure-the-etcd-pod-specification-file-ownership">Secure the etcd pod specification file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/kubernetes/manifests/etcd.yaml </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-container-network-interface-file-permissions">Secure the Container Network Interface file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %a &lt;path/to/cni/files&gt; </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-container-network-interface-file-ownership">Secure the Container Network Interface file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %U:%G &lt;path/to/cni/files&gt; </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-etcd-data-directory-permissions">Secure the etcd data directory permissions.</h6><p>First run the following command to the get etcd data directory:</p><pre><code>ps -ef | grep etcd </code></pre><p>Now run the following command based on the etcd data directory you found from the previous command:</p><pre><code>stat -c %a /var/lib/etcd </code></pre><p>In the output, check to ensure that permissions are <code>700</code> or more restrictive to ensure your etcd data directory is protected against unauthorized reads/writes.</p><h6 id="secure-the-etcd-data-directory-ownership">Secure the etcd data directory ownership.</h6><p>First run the following command to the get etcd data directory:</p><pre><code>ps -ef | grep etcd </code></pre><p>Now run the following command based on the etcd data directory you found from the previous command:</p><pre><code>stat -c %U:%G /var/lib/etcd </code></pre><p>In the output, check to ensure that ownership is <code>etcd:etcd</code> to ensure your etcd data directory is protected against unauthorized reads/writes.</p><h6 id="secure-the-adminsconf-file-permissions">Secure the admins.conf file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/kubernetes/admin.conf </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-adminsconf-file-ownership">Secure the admins.conf file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/kubernetes/admin.conf </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-schedulerconf-file-permissions">Secure the scheduler.conf file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/kubernetes/scheduler.conf </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-schedulerconf-file-ownership">Secure the scheduler.conf file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/kubernetes/scheduler.conf </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-controller-managerconf-file-permissions">Secure the controller-manager.conf file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/kubernetes/controller-manager.conf </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-controller-managerconf-file-ownership">Secure the controller-manager.conf file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/kubernetes/controller-manager.conf </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-kubernetes-pki-directory-and-file-ownership">Secure the Kubernetes PKI directory and file ownership.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>ls -laR /etc/kubernetes/pki/ </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-kubernetes-pki-directory-and-file-permissions">Secure the Kubernetes PKI directory and file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>ls -laR /etc/kubernetes/pki/*.crt </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-kubernetes-pki-key-file-permissions">Secure the Kubernetes PKI key file permissions.</h6><p>Run the following command on the master node (specifying your file location on your system):</p><pre><code>ls -laR /etc/kubernetes/pki/*.key </code></pre><p>In the output, check to ensure that permissions are <code>600</code> to maintain the integrity of the file.</p><h4 id="10-securely-configure-etcd">10. Securely configure etcd</h4><p>As mentioned in previous sections, etcd (a <a href="https://web.archive.org/web/20210304001924/https://www.cncf.io/blog/2018/12/11/cncf-to-host-etcd/" target="_blank" rel="nofollow noopener">CNCF project</a>) is a key-value store (a <a href="https://web.archive.org/web/20210304001924/https://www.cncf.io/blog/2018/12/11/cncf-to-host-etcd/" target="_blank" rel="nofollow noopener">CNCF project</a>) used by distributed systems such as Kubernetes for data access. etcd is considered the source of truth for Kubernetes, and you can read data from and write into etcd as needed. Securely configuring etcd and communications to its servers are of utmost criticality.</p><p>Run the following command on the etcd server node:</p><pre><code>ps -ef | grep etcd </code></pre><p>In the output, check to ensure that the:</p><ul><li><code>--cert-file</code> and the <code>--key-file</code> arguments are set as needed to ensure client connections are served only over TLS (in transit encryption).</li><li><code>--client-cert-auth</code> argument shows as <code>true</code> to ensure all access attempts from clients include a valid client cert.</li><li><code>--auto-tls</code> argument is there and is not <code>true</code>, or isn’t there at all, which will prohibit clients from using self-signed certs for TLS.</li><li>If you’re using a etcd cluster (instead of a single etcd server), check to see that <code>--peer-cert-file</code> and <code>--peer-key-file</code> arguments are appropriately set to ensure etcd peer connections is encrypted within the etcd cluster. In addition, check that <code>--peer-client-cert-auth</code> argument is set to <code>true</code>, as this setting would ensure that only authenticated etcd peers can access the etcd cluster. Lastly verify that if <code>--peer-auto-tls</code> argument is there, it is not set to <code>true</code>.</li><li>As a best practice, don’t use the same certificate authority for etcd as you do for Kubernetes. You can ensure this separation by verifying that the file referenced by the <code>--client-ca-file</code> for API Server is different from the <code>--trusted-ca-file</code> used by etcd.</li></ul><h4 id="11-securely-configure-the-kubelet">11. Securely configure the Kubelet</h4><p>The <a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" target="_blank" rel="nofollow noopener">kubelet</a> is the main “node agent” running on each node. Misconfiguring kubelet can expose you to a host of security risks, as <a href="https://web.archive.org/web/20210304001924/https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c" target="_blank" rel="nofollow noopener">this Medium</a> article last year outlines. You can either use arguments on the running kubelet executable or a kubelet config file to set the configuration of your kubelet.</p><p>To find the kubelet config file, run the following command:</p><pre><code>ps -ef | grep kubelet | grep config </code></pre><p>Look for <code>--config argument</code>, which will give you the location of the kubelet config file.</p><p>Then run the following command on each node:</p><pre><code>ps -ef | grep kubelet </code></pre><p>In the output, make sure that the:</p><ul><li><code>--anonymous-auth</code> argument is <code>false</code>. In the kubelet article previously referenced, one of the misconfigurations exploited was one where anonymous (and unauthenticated) requests were allowed to be served by the kubelet server.</li><li><code>--authorization-mode</code> argument shows as <code>AlwaysAllow</code> if it’s there. If it is not there, make sure there’s a kubelet config file specified by <code>--config</code> and that file has set <code>authorization: mode</code> to something besides <code>AlwaysAllow</code>.</li><li><code>--client-ca-file</code> argument is there and set to the location of the client certificate authority file. If it’s not there, make sure there’s a kubelet config file specified by <code>--config</code> and that file has set <code>authentication: x509: clientCAFile</code> to the location of the client certificate authority file.</li><li><code>--read-only-port</code> argument is there and set to <code>0</code>. If it’s not there, make sure there’s a kubelet config file specified by <code>--config</code>, and <code>readOnlyPort</code> is set to <code>0</code> if it’s there.</li><li><code>--protect-kernel-defaults</code> shows as <code>true</code>. If it’s not there, make sure there’s a kubelet config file specified by <code>--config</code>, and that file has set <code>protectKernelDefaults</code> as <code>true</code>.</li><li><code>--hostname-override</code> argument is not there, to ensure that the TLS setup between the kubelet and the API Server doesn’t break.</li><li><code>--event-qps</code> argument is there and set to <code>0</code>. If it’s not there, make sure there’s a kubelet config file specified by <code>--config</code> and <code>eventRecordQPS</code> shows as <code>0</code>.</li><li><code>--tls-cert-file</code> and <code>--tls-private-key-file</code> arguments are set appropriately or the kubelet config specified by <code>--config</code> contains appropriate settings for <code>tlsCertFile</code> and <code>tlsPrivateKeyFile</code>. This configuration ensures that all connections happen over TLS on the kubelets.</li><li><code>RotateKubeletServerCertificate</code> and <code>--rotate-certificates</code> is set to <code>true</code> if your kubelets get their certs from the API Server, and make sure your kubelet uses only strong crypto ciphers.</li></ul><h4 id="12-secure-the-worker-node-configuration-files">12. Secure the worker node configuration files</h4><h6 id="secure-the-kubelet-service-file-permissions">Secure the kubelet service file permissions.</h6><p>Run the following command on each worker node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-kubeletconf-file-permissions">Secure the kubelet.conf file permissions.</h6><p>Run the following command on each worker node (specifying your file location on your system):</p><pre><code>stat -c %a /etc/kubernetes/kubelet.conf </code></pre><p>In the output, check to ensure that permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-kubeletconf-file-ownership">Secure the kubelet.conf file ownership.</h6><p>Run the following command on each worker node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/kubernetes/kubelet.conf </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-kublete-service-file-ownership">Secure the kublete service file ownership.</h6><p>Run the following command on each worker node (specifying your file location on your system):</p><pre><code>stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf </code></pre><p>In the output, check to ensure that ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-proxy-kubeconfig-file-permissions">Secure the proxy kubeconfig file permissions.</h6><p>Run the following command to first find the kubeconfig file being used:</p><pre><code>ps -ef | grep kube-proxy </code></pre><p>Get the kube-proxy file location (if it’s running) from <code>--kubeconfig</code>, then run the following command on each worker node (specifying your file location on your system).</p><pre><code>stat -c %a &lt;proxy kubeconfig file&gt; </code></pre><p>In the output, check to make sure permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-proxy-kubeconfig-file-ownership">Secure the proxy kubeconfig file ownership.</h6><p>Run the following command first to find the kubeconfig file being used:</p><pre><code>ps -ef | grep kube-proxy </code></pre><p>Get the kube-proxy file location (if it’s running) from <code>--kubeconfig</code>, then run the following command on each worker node (specifying your file location on your system):</p><pre><code>stat -c %U:%G &lt;proxy kubeconfig file&gt; </code></pre><p>In the output, check to make sure ownership is set as <code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-certificate-authorities-file-permissions">Secure the certificate authorities file permissions.</h6><p>Run the following command first:</p><pre><code>ps -ef | grep kubelet </code></pre><p>Look for the file name that’s identified by <code>--client-ca-file</code> argument. Then run the following command, specifying the previous file name:</p><pre><code>stat -c %a &lt;filename&gt; </code></pre><p>In the output, check to make sure permissions are <code>644</code> or more restrictive to maintain the integrity of the file.</p><h6 id="secure-the-client-certificate-authorities-file-ownership">Secure the client certificate authorities file ownership.</h6><p>Run the following command first:</p><pre><code>ps -ef | grep kubelet </code></pre><p>Look for the file name that’s identified by -<code>-client-ca-file</code> argument. Then run the following command, specifying the previous file name:</p><pre><code>stat -c %U:%G &lt;filename&gt; </code></pre><p>In the output, check to make sure ownership is set as<code>root:root</code> to maintain the integrity of the file.</p><h6 id="secure-the-kubelet-configuration-file-permissions">Secure the kubelet configuration file permissions.</h6><p>First locate the kubelet config file with following command:</p><pre><code>ps -ef | grep kubelet | grep config </code></pre><p>In the output, you may see the location of the config file if it exists. It would look something like /var/lib/kubelet/configuration.yaml.</p><p>Using the location of the file (we’ll use the file location from this previous example), run the following command to identify the file’s permissions:</p><pre><code>stat -c %a /var/lib/kubelet/configuration.yaml </code></pre><p>In the output, check to make sure permissions are set to <code>644</code> or more restrictive to ensure the integrity of the file.</p><h6 id="secure-the-kubelet-configuration-file-ownership">Secure the kubelet configuration file ownership.</h6><p>Run the following command:</p><pre><code>ps -ef | grep kubelet | grep config </code></pre><p>In the output, you may see the location of the config file if it exists - it would look something like /var/lib/kubelet/configuration.yaml.</p><p>Using the location of the file (we’ll use the file location from this previous example), run the following command to identify the file’s permissions:</p><pre><code>stat -c %U:%G /var/lib/kubelet/configuration.yaml </code></pre><p>In the output, check to make sure ownership is set to <code>root:root</code> to maintain the integrity of the file.</p><p>This cloud-native stack offers compelling capabilities for building the most secure applications we’ve ever created - we just need to make sure we’ve got all the knobs and dials set correctly. Leverage these configurations, code examples, and detailed recommendations to avoid the security risks associated with the most common Kubernetes misconfigurations.</p><h2 id="references">References</h2><p><a href="https://web.archive.org/web/20210304001924/https://www.cisecurity.org/benchmark/kubernetes/" title="https://www.cisecurity.org/benchmark/kubernetes/" target="_blank" rel="nofollow noopener">https://www.cisecurity.org/benchmark/kubernetes/</a><br><a href="https://web.archive.org/web/20210304001924/https://docs.docker.com/v17.09/compliance/cis/" title="https://docs.docker.com/v17.09/compliance/cis/" target="_blank" rel="nofollow noopener">https://docs.docker.com/v17.09/compliance/cis/</a><br><a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" title="https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" target="_blank" rel="nofollow noopener">https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/</a><br><a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/concepts/policy/pod-security-policy/" title="https://kubernetes.io/docs/concepts/policy/pod-security-policy/" target="_blank" rel="nofollow noopener">https://kubernetes.io/docs/concepts/policy/pod-security-policy/</a><br><a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" title="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" target="_blank" rel="nofollow noopener">https://kubernetes.io/docs/tasks/configure-pod-container/security-context/</a><br><a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/blog/2017/04/rbac-support-in-kubernetes/" title="https://kubernetes.io/blog/2017/04/rbac-support-in-kubernetes/" target="_blank" rel="nofollow noopener">https://kubernetes.io/blog/2017/04/rbac-support-in-kubernetes/</a><br><a href="https://web.archive.org/web/20210304001924/https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/" title="https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/" target="_blank" rel="nofollow noopener">https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/</a></p><hr></article></div><aside class="small-12 large-3 columns sidebar"><div><div class="sticky"><div class="hbspt-form"></div><style>.form_1295 { font-weight: 600; } #mktoForm_1295, #mktoForm_1650 { min-height: 10.25rem !important } #mktoForm_1295 .mktoButton, #mktoForm_1650 .mktoButton { padding: 1.125rem 1rem 0.778rem !important; }</style><div hidden class="form_1295"><h4 class="feature-title">Subscribe to our blog</h4><form id="mktoForm_1295"></form></div></div><script>function waitForJquery(method) { if (window.jQuery) method() else setTimeout(function() { waitForJquery(method) }, 50) } waitForJquery(function() { if (!Cookies.get('form_1295')) { $(".form_1295").show() if (typeof MktoForms2 != 'undefined') { if (!document.querySelector('#mktoForm_1295').classList.contains('mktoForm')) { if (document.querySelector('.mktoForm')) { document.querySelector('.mktoForm').remove(); document.querySelector('#mktoStyleLoaded').remove(); } MktoForms2.loadForm("//web.archive.org/web/20210304001924/https://app-sj25.marketo.com", "219-UEH-533", 1295); MktoForms2.whenReady(function (form){ form.onSuccess(function(values, followUpUrl){ Cookies.set('form_1295', 'off', { expires: 3650 }) $("#mktoForm_1295").replaceWith("<p>Thank you for subscribing</p>") return false }) }) } } } })</script><div hidden id="form_1650" class="mfp-hide bg-white form_1650"><h4 class="feature-title">Subscribe to our blog</h4><form id="mktoForm_1650"></form></div><script>function waitForJquery(method) { if (window.jQuery) method() else setTimeout(function() { waitForJquery(method) }, 50) } waitForJquery(function() { if (!Cookies.get('form_1650')) { $(".form_1650").show() if (typeof MktoForms2 != 'undefined') { if (!document.querySelector('#mktoForm_1650').classList.contains('mktoForm')) { if (document.querySelector('.mktoForm')) { document.querySelector('.mktoForm').remove(); document.querySelector('#mktoStyleLoaded').remove(); } MktoForms2.loadForm("//web.archive.org/web/20210304001924/https://app-sj25.marketo.com", "219-UEH-533", 1650); MktoForms2.whenReady(function (form){ form.onSuccess(function(values, followUpUrl){ Cookies.set('form_1650', 'off', { expires: 3650 }) $("#mktoForm_1650").replaceWith("<p>Thank you for subscribing</p>") return false }) }) } } } })</script><h4 class="feature-title">Featured Posts</h4><ul class="list-no-bullet block-no-margin featured"><li><a href="/web/20210304001924/https://www.stackrox.com/post/2021/01/eks-vs-gke-vs-aks-jan2021/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1581124405/eks-vs-gke-vs-aks-blog-banner_sgnqs6.png" alt="EKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>EKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud</a> <strong><small><time datetime="2021-01-25T09:00:00Z">Jan 25, 2021</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2021/01/red-hat-to-acquire-stackrox/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1609964072/logo-lockup-blog_mqj1dd.jpg" alt="Red Hat Acquires StackRox to Further Expand its Security Leadership" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Red Hat Acquires StackRox to Further Expand its Security Leadership</a> <strong><small><time datetime="2021-01-07T21:15:00Z">Jan 07, 2021</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/12/cks-certification-study-guide-system-hardening/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1608501382/cks-study-guide-system-hardening-blog-banner_itmytg.jpg" alt="CKS Certification Study Guide: System Hardening in Kubernetes" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>CKS Certification Study Guide: System Hardening in Kubernetes</a> <strong><small><time datetime="2020-12-20T08:00:00Z">Dec 20, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/12/cks-certification-study-guide-cluster-hardening/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1608140948/cks-study-guide-cluster-hardening-blog-banner_hvmzfb.jpg" alt="CKS Certification Study Guide: Cluster Hardening" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>CKS Certification Study Guide: Cluster Hardening</a> <strong><small><time datetime="2020-12-16T08:00:00Z">Dec 16, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/12/whats-new-in-kubernetes-1.20-new-features-and-updates/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1607733036/kubernetes-1.20-release-blog-banner_s63bs8.jpg" alt="What’s New in Kubernetes 1.20? New Features and Updates" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>What&#39;s New in Kubernetes 1.20? New Features and Updates</a> <strong><small><time datetime="2020-12-11T08:00:00Z">Dec 11, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/12/cks-certification-study-guide-cluster-setup-in-kubernetes/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1607641604/cks-study-guide-cluster-setup-blog-banner_r8mbiy.jpg" alt="CKS Certification Study Guide: Cluster Setup in Kubernetes" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>CKS Certification Study Guide: Cluster Setup in Kubernetes</a> <strong><small><time datetime="2020-12-10T08:00:00Z">Dec 10, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/12/cve-2020-8554-man-in-the-middle-vulnerability-in-kubernetes-top-recommendations/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1607534065/kubernetes-cve-2020-8554-blog-banner_jdcyuz.jpg" alt="CVE-2020-8554: Man in the Middle Vulnerability in Kubernetes - Top Recommendations" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>CVE-2020-8554: Man in the Middle Vulnerability in Kubernetes - Top Recommendations</a> <strong><small><time datetime="2020-12-09T08:00:00Z">Dec 09, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/12/how-kubelinter-fits-in-the-cncf-ecosystem/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1606965198/how-kubelinter-fits-into-cncf-blog-banner_izfyq3.jpg" alt="How KubeLinter fits in the CNCF Ecosystem" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>How KubeLinter fits in the CNCF Ecosystem</a> <strong><small><time datetime="2020-12-02T08:00:00Z">Dec 02, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/12/openshift-image-security-and-cluster-maintenance-best-practices/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1606963387/openshift-security-best-practices-blog-4-banner_pqe7ua.png" alt="OpenShift image security and cluster maintenance best practices" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>OpenShift image security and cluster maintenance best practices</a> <strong><small><time datetime="2020-12-02T08:00:00Z">Dec 02, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/11/kubecon-2020-highlights-and-key-takeaways/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1606250196/kubecon-2020-highlights-takeaways-blog-banner_hhzi3g.jpg" alt="KubeCon 2020 Highlights and Key Takeaways" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>KubeCon 2020 Highlights and Key Takeaways</a> <strong><small><time datetime="2020-11-24T08:00:00Z">Nov 24, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/11/cks-cncf-announcement-and-exam-study-tips/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1605804984/certified-kubernetes-security-specialist-stackrox-blog-banner_zty51q.jpg" alt="CKS CNCF Announcement and Exam Study Tips" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>CKS CNCF Announcement and Exam Study Tips</a> <strong><small><time datetime="2020-11-19T08:00:00Z">Nov 19, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/11/openshift-runtime-security-best-practices/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1605561786/openshift-runtime-security-best-practices-blog-banner_begfaw.jpg" alt="OpenShift Runtime Security Best Practices" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>OpenShift Runtime Security Best Practices</a> <strong><small><time datetime="2020-11-16T20:00:00Z">Nov 16, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/11/what-is-cncf-certified-kubernetes-security-specialist-cks-exam-and-what-is-covered/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1605207998/cncf-cks-intro-blog-banner_iygico.jpg" alt="What is CNCF’s CKS Exam and What is Covered?" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>What is CNCF’s CKS Exam and What is Covered?</a> <strong><small><time datetime="2020-11-12T08:00:00Z">Nov 12, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/11/openshift-networking-and-cluster-access-best-practices/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1605029612/openshift-networking-best-practices_awahou.jpg" alt="OpenShift Networking and Cluster Access Best Practices" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>OpenShift Networking and Cluster Access Best Practices</a> <strong><small><time datetime="2020-11-10T08:00:00Z">Nov 10, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/11/openshift-security-best-practices-part-1-of-5-cluster-design/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1604452798/openshift-security-best-practices-1-blog-banner_yjob9j.jpg" alt="OpenShift security best practices for K8s cluster design" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>OpenShift security best practices for K8s cluster design</a> <strong><small><time datetime="2020-11-03T08:00:00Z">Nov 03, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/10/introducing-kubelinter-an-open-source-linter-for-kubernetes/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1603830204/kubelinter-launch-blog-banner_zqgguk.png" alt="KubeLinter: open source YAML linter / HELM linter for K8s" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>KubeLinter: open source YAML linter / HELM linter for K8s</a> <strong><small><time datetime="2020-10-28T08:00:00Z">Oct 28, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/10/eks-vs-gke-vs-aks/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1581124405/eks-vs-gke-vs-aks-blog-banner_sgnqs6.png" alt="EKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>EKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud </a><strong><small><time datetime="2020-10-01T07:00:00Z">Oct 01, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/10/four-container-and-kubernetes-security-risks-you-should-mitigate/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1601572089/four-container-and-k8s-security-risks-blog-banner_poncsu.jpg" alt="Four Container and Kubernetes Security Risks You Should Mitigate" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Four Container and Kubernetes Security Risks You Should Mitigate</a> <strong><small><time datetime="2020-10-01T07:00:00Z">Oct 01, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/09/top-5-takeaways-from-the-latest-kubernetes-security-report/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1600378892/state-of-container-and-kubernetes-security-fall-2020-page-banner_yqsoqg.jpg" alt="Top 5 takeaways from the latest Kubernetes security report" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Top 5 takeaways from the latest Kubernetes security report</a> <strong><small><time datetime="2020-09-23T08:00:00Z">Sep 23, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/09/kubernetes-architecture-and-what-it-means-for-security/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1600297736/kube-architecture-blog-banner_szavki.jpg" alt="Kubernetes Architecture and What It Means for Security" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Kubernetes Architecture and What It Means for Security</a> <strong><small><time datetime="2020-09-16T07:00:00Z">Sep 16, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/09/guide-to-kubernetes-security-context-and-security-policies/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1599586265/k8s-security-context-blog-banner_yoaxkv.png" alt="Guide to Kubernetes security context &amp; pod security policy (PSP)" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Guide to Kubernetes security context &amp; pod security policy (PSP)</a> <strong><small><time datetime="2020-09-08T07:00:00Z">Sep 08, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/09/protecting-against-kubernetes-threats-chapter-8-lateral-movement/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1599020895/kube-attack-matrix-blog-8-banner_ukre6e.png" alt="Protecting Kubernetes Against MITRE ATT&amp;CK: Lateral Movement" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes Against MITRE ATT&amp;CK: Lateral Movement</a> <strong><small><time datetime="2020-09-01T07:00:00Z">Sep 01, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/08/whats-new-in-kubernetes-1-19/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1597617741/kubernetes-1.19-release-blog-banner_g6udlh.png" alt="What’s New in Kubernetes 1.19? New Features and Updates" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>What’s New in Kubernetes 1.19? New Features and Updates</a> <strong><small><time datetime="2020-08-19T07:00:00Z">Aug 19, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/08/protecting-against-kubernetes-threats-chapter-7-discovery/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1597293203/kubernetes-threat-chapter-7-blog-banner_a7xlze.png" alt="Protecting Kubernetes Against MITRE ATT&amp;CK: Discovery" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes Against MITRE ATT&amp;CK: Discovery</a> <strong><small><time datetime="2020-08-13T07:00:00Z">Aug 13, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/08/gke-monitoring-best-practices-for-better-security-and-operability/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1597290075/gke-monitoring-best-practices-blog-banner_sno3gl.png" alt="GKE Monitoring Best Practices for Better Security and Operability" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>GKE Monitoring Best Practices for Better Security and Operability</a> <strong><small><time datetime="2020-08-12T21:00:00Z">Aug 12, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/08/guide-to-gke-runtime-security-for-gcp-workloads/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1596754758/gke-runtime-security-blog-banner_n4t5k3.png" alt="Guide to GKE Runtime Security for GCP Workloads" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Guide to GKE Runtime Security for GCP Workloads</a> <strong><small><time datetime="2020-08-06T07:00:00Z">Aug 06, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/08/protecting-against-kubernetes-threats-chapter-6-credential-access/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1596650760/kubernetes-threat-number-six-access-credentials-blog-banner_olxdsw.png" alt="Protecting Kubernetes Against MITRE ATT&amp;CK: Credential Access" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes Against MITRE ATT&amp;CK: Credential Access</a> <strong><small><time datetime="2020-08-05T15:00:00Z">Aug 05, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/08/eks-vs-gke-vs-aks-august-2020-updates/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1596612273/eks-vs-gke-vs-aks-august-blog-banner_kg7l6x.png" alt="EKS vs GKE vs AKS - August 2020 Update" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>EKS vs GKE vs AKS - August 2020 Update</a> <strong><small><time datetime="2020-08-04T07:00:00Z">Aug 04, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/07/gke-networking-best-practices-for-security-and-operation/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1596073515/gke-network-best-practices-blog-banner_pardkg.png" alt="GKE Networking Best Practices for Security and Operation" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>GKE Networking Best Practices for Security and Operation</a> <strong><small><time datetime="2020-07-29T07:00:00Z">Jul 29, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/07/protecting-against-kubernetes-threats-chapter-5-defense-evasion/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1595869834/kube-threat-attack-mitre-chapter-5-blog-banner_evewto.png" alt="Protecting Kubernetes Against MITRE ATT&amp;CK: Defense Evasion" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes Against MITRE ATT&amp;CK: Defense Evasion</a> <strong><small><time datetime="2020-07-27T07:00:00Z">Jul 27, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/07/gke-security-best-practices-designing-secure-clusters/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1595383744/gke-security-best-practices-cluster-design-blog-banner-stackrox_lxs2do.jpg" alt="GKE Security Best Practices: Designing Secure Clusters" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>GKE Security Best Practices: Designing Secure Clusters</a> <strong><small><time datetime="2020-07-21T07:00:00Z">Jul 21, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/07/protecting-against-kubernetes-threats-chapter-4-privilege-escalation/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1595194024/kube-threat-matrix-privilege-escalation-blog-banner_gqywwt.jpg" alt="Protecting Kubernetes Against MITRE ATT&amp;CK: Privilege Escalation" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes Against MITRE ATT&amp;CK: Privilege Escalation</a> <strong><small><time datetime="2020-07-19T07:00:00Z">Jul 19, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/07/protecting-against-kubernetes-threats-chapter-3-persistence/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1594764204/kube-threat-matrix-blog-banner_dtk0m9.png" alt="Protecting Kubernetes Against MITRE ATT&amp;CK: Persistence" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes Against MITRE ATT&amp;CK: Persistence</a> <strong><small><time datetime="2020-07-14T07:00:00Z">Jul 14, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/07/protecting-against-kubernetes-threats-chapter-2-execution/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1593718946/protecting-against-kubernetes-threats-chapter-2-execution-blog-banner_xc4b1c.jpg" alt="Protecting Kubernetes Against MITRE ATT&amp;CK: Execution" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes Against MITRE ATT&amp;CK: Execution</a> <strong><small><time datetime="2020-07-02T14:00:00Z">Jul 02, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/07/cryptojacking-attacks-in-kubernetes-how-to-stop-them/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1593711929/cryptojacking-stackrox-blog-banner_hltrjo.png" alt="Cryptojacking Attacks in Kubernetes: How to Stop Them" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Cryptojacking Attacks in Kubernetes: How to Stop Them</a> <strong><small><time datetime="2020-07-02T07:00:00Z">Jul 02, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/06/eks-vs-gke-vs-aks-july-2020-updates/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1593555566/eks-vs-gke-vs-aks-july-2020-blog-banner_i9jofa.jpg" alt="EKS vs GKE vs AKS - July 2020 Update" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>EKS vs GKE vs AKS - July 2020 Update</a> <strong><small><time datetime="2020-06-26T07:00:00Z">Jun 26, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/06/protecting-against-kubernetes-threats-chapter-1-initial-access/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1593125776/kuberntes-threat-vector-1-initial-access-blog-banner_eccnsr.png" alt="Protecting Kubernetes Against MITRE ATT&amp;CK: Initial Access" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes Against MITRE ATT&amp;CK: Initial Access</a> <strong><small><time datetime="2020-06-25T07:00:00Z">Jun 25, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/06/mitigating-kubernetes-cve-2020-10749/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1591375553/kube-vuln-blog-banner_xfxvcy.jpg" alt="Mitigating CVE-2020-10749 in Kubernetes Environments" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Mitigating CVE-2020-10749 in Kubernetes Environments</a> <strong><small><time datetime="2020-06-05T07:00:00Z">Jun 05, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/06/eks-vs-gke-vs-aks-june-2020-updates/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1591137598/eks-vs-gke-vs-aks-june-2020-updates-blog-banner_vfkcac.jpg" alt="EKS vs GKE vs AKS - June 2020 Update" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>EKS vs GKE vs AKS - June 2020 Update</a> <strong><small><time datetime="2020-06-02T07:00:00Z">Jun 02, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/05/guide-to-evaluating-your-container-security-maturity/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1589682508/container-security-maturity-model-blog-banner_qnhy4q.jpg" alt="Guide to Evaluating Your Container Security Maturity" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Guide to Evaluating Your Container Security Maturity</a> <strong><small><time datetime="2020-05-16T07:00:00Z">May 16, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/05/kubernetes-autoscaling-explained/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1589675952/kubernetes-autoscaling-blog-banner1_kmbkrb.jpg" alt="Kubernetes Autoscaling - 3 Common Methods Explained" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Kubernetes Autoscaling - 3 Common Methods Explained</a> <strong><small><time datetime="2020-05-16T07:00:00Z">May 16, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/05/kubernetes-security-101/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1563842597/kubernetes-security-101-blog-banner.jpg" alt="Kubernetes Security 101: Risks and 29 Best Practices" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Kubernetes Security 101: Risks and 29 Best Practices</a> <strong><small><time datetime="2020-05-15T07:00:00Z">May 15, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/05/custom-kubernetes-controls-with-open-policy-agent-opa-part-2/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1589304464/opa-blog-banner-part-2_auk13z.jpg" alt="Better Kubernetes Security with Open Policy Agent (OPA) - Part 2" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Better Kubernetes Security with Open Policy Agent (OPA) - Part 2</a> <strong><small><time datetime="2020-05-12T17:00:00Z">May 12, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/04/enhancing-kubernetes-security-with-open-policy-agent-opa-part-1/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1588179341/opa-blog-banner_ti0jyx.jpg" alt="Better Kubernetes Security with Open Policy Agent (OPA) - Part 1" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Better Kubernetes Security with Open Policy Agent (OPA) - Part 1</a> <strong><small><time datetime="2020-04-29T07:00:00Z">Apr 29, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/04/aws-eks-monitoring-best-practices-for-stability-and-security/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1586918389/eks-monitoring-blog-banner_zdo7x0.jpg" alt="AWS EKS Monitoring Best Practices for Stability and Security" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>AWS EKS Monitoring Best Practices for Stability and Security</a> <strong><small><time datetime="2020-04-14T07:00:00Z">Apr 14, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/04/container-image-security-beyond-vulnerability-scanning/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1586406865/container-image-security-beyond-scanning_btooqs.jpg" alt="Container Image Security: Beyond Vulnerability Scanning" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Container Image Security: Beyond Vulnerability Scanning</a> <strong><small><time datetime="2020-04-08T07:00:00Z">Apr 08, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/04/eks-runtime-security-best-practices-for-aws-workloads/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1586209551/eks-runtime-security-best-practices_vxigdw.jpg" alt="EKS Runtime Security Best Practices for AWS Workloads" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>EKS Runtime Security Best Practices for AWS Workloads</a> <strong><small><time datetime="2020-04-06T07:00:00Z">Apr 06, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/03/eks-vs-gke-vs-aks-april-2020-updates/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1585713888/eks-vs-gke-vs-aks-april-update-blog-banner1_kdz0ht.png" alt="EKS vs GKE vs AKS - April 2020 Updates" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>EKS vs GKE vs AKS - April 2020 Updates</a> <strong><small><time datetime="2020-03-31T07:00:00Z">Mar 31, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/03/eks-networking-best-practices/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1585621866/eks-networking-blog-banner_pp3zuw.jpg" alt="EKS Networking Best Practices for Security and Operation" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>EKS Networking Best Practices for Security and Operation</a> <strong><small><time datetime="2020-03-30T07:00:00Z">Mar 30, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/03/securing-eks-cluster-add-ons-dashboard-fargate-ec2-and-more/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1585078958/securing-eks-cluster-addons-blog-banner_xnwwg7.png" alt="Securing EKS Cluster Add-ons: Dashboard, Fargate, EC2 Components, and More" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Securing EKS Cluster Add-ons: Dashboard, Fargate, EC2 Components, and More</a> <strong><small><time datetime="2020-03-24T07:00:00Z">Mar 24, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/03/what-is-new-in-kubernetes-1.18/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1585002237/kubernetes-1.18-release-blog-banner_fnb2hv.jpg" alt="What’s New in Kubernetes 1.18? New Features and Updates" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>What&#39;s New in Kubernetes 1.18? New Features and Updates</a> <strong><small><time datetime="2020-03-23T07:00:00Z">Mar 23, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/03/guide-to-eks-cluster-design-for-better-security/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1584489246/eks-cluster-design-blog-banner1_ivusqa.png" alt="Guide to Designing EKS Clusters for Better Security" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Guide to Designing EKS Clusters for Better Security</a> <strong><small><time datetime="2020-03-17T07:00:00Z">Mar 17, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/03/azure-kubernetes-aks-security-best-practices-part-4-of-4/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1583788573/aks-security-best-practices-4-of-4-banner-v2_q3gwpf.png" alt="Azure Kubernetes (AKS) Security Best Practices Part 4 of 4: Cluster Maintenance" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Azure Kubernetes (AKS) Security Best Practices Part 4 of 4: Cluster Maintenance </a><strong><small><time datetime="2020-03-09T07:00:00Z">Mar 09, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/02/azure-kubernetes-aks-security-best-practices-part-3-of-4/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1582574988/aks-runtime-security-best-practices-blog-banner_onjhgo.png" alt="Azure Kubernetes (AKS) Security Best Practices Part 3 of 4: Runtime Security" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Azure Kubernetes (AKS) Security Best Practices Part 3 of 4: Runtime Security</a> <strong><small><time datetime="2020-02-24T08:00:00Z">Feb 24, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/02/azure-kubernetes-aks-security-best-practices-part-2-of-4/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1581379387/aks-security-best-practices-part-2-blog-banner_ezw3pi.png" alt="Azure Kubernetes (AKS) Security Best Practices Part 2 of 4: Networking" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Azure Kubernetes (AKS) Security Best Practices Part 2 of 4: Networking</a> <strong><small><time datetime="2020-02-11T08:00:00Z">Feb 11, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/01/azure-kubernetes-aks-security-best-practices-part-1-of-4/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1580182143/azure-security-best-practices-part-1-blog-banner_sb3osu.jpg" alt="Azure Kubernetes (AKS) Security Best Practices Part 1 of 4: Designing Secure Clusters and Container Images" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Azure Kubernetes (AKS) Security Best Practices Part 1 of 4: Designing Secure Clusters and Container Images</a> <strong><small><time datetime="2020-01-27T08:00:00Z">Jan 27, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/01/kubernetes-egress-network-policies/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1579130829/kubernetes-egress-network-policies-blog-banner_b7bxqf.jpg" alt="Guide to Kubernetes Egress Network Policies" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Guide to Kubernetes Egress Network Policies</a> <strong><small><time datetime="2020-01-15T08:00:00Z">Jan 15, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/01/kubernetes-networking-demystified/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1578618651/kubernetes-networking-demystified-blog-banner_u3ns3l.png" alt="Kubernetes Networking Demystified: A Brief Guide" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Kubernetes Networking Demystified: A Brief Guide</a> <strong><small><time datetime="2020-01-09T08:00:00Z">Jan 09, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/01/top-5-kubernetes-vulnerabilities-of-2019-the-year-in-review/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1578433885/top-5-kube-vulns-of-2019-banner_wxw0qh.png" alt="Top 5 Kubernetes Vulnerabilities of 2019 - the Year in Review" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Top 5 Kubernetes Vulnerabilities of 2019 - the Year in Review</a> <strong><small><time datetime="2020-01-02T08:00:00Z">Jan 02, 2020</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/12/whats-new-in-kubernetes-1.17-a-deeper-look-at-new-features/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1575659475/kubernetes-1.17-release-blog-banner_raydbv.png" alt="What’s New in Kubernetes 1.17: A Deeper Look at New Features" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>What’s New in Kubernetes 1.17: A Deeper Look at New Features</a> <strong><small><time datetime="2019-12-09T22:00:00Z">Dec 09, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/11/how-to-make-istio-work-with-your-apps/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1574812428/how-to-make-istio-work-with-your-app_tmtnlf.jpg" alt="How to Make Istio Work with Your Apps" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>How to Make Istio Work with Your Apps</a> <strong><small><time datetime="2019-11-26T08:00:00Z">Nov 26, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/protecting-kubernetes-api-against-cve-2019-11253-billion-laughs-attack/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1569870842/cve-2019-11253-stackrox-blog-banner_nisncq.jpg" alt="Protecting Kubernetes API Against CVE-2019-11253 (Billion Laughs Attack) and Other Vulnerabilities" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Protecting Kubernetes API Against CVE-2019-11253 (Billion Laughs Attack) and Other Vulnerabilities</a> <strong><small><time datetime="2019-09-30T00:00:00-07:00">Sep 30, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/docker-security-101/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1568398512/docker-security-101-blog-banner_ffue3d.jpg" alt="Docker Container Security 101: Risks and 33 Best Practices" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Docker Container Security 101: Risks and 33 Best Practices</a> <strong><small><time datetime="2019-09-13T08:00:00Z">Sep 13, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/amazon-eks-security-best-practices/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1568395569/amazon-eks-security-best-practices-blog-banner_jz9ghg.jpg" alt="Amazon EKS Security Best Practices" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Amazon EKS Security Best Practices</a> <strong><small><time datetime="2019-09-13T07:00:00Z">Sep 13, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/the-kubernetes-security-audit-3-key-takeaways/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1567487659/k8s-security-audit-results-blog-banner_hayhhp.jpg" alt="The Kubernetes Security Audit: 3 Key Takeaways" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>The Kubernetes Security Audit: 3 Key Takeaways</a> <strong><small><time datetime="2019-09-02T00:00:00-07:00">Sep 02, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/08/istio-security-basics-running-microservices-on-zero-trust-networks/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1565040348/istio-security-blog-banner_jqgxiv.png" alt="Istio Security: Running Microservices on Zero-Trust Networks" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Istio Security: Running Microservices on Zero-Trust Networks</a> <strong><small><time datetime="2019-08-01T07:00:00Z">Aug 01, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/06/gartner-best-practices-for-securing-containers-and-kubernetes-in-production/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1561493123/gartner-best-practices-for-securing-containers-and-k8s-blog-banner.jpg" alt="Gartner best practices for Kubernetes &amp; container security" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Gartner best practices for Kubernetes &amp; container security</a> <strong><small><time datetime="2019-06-25T07:00:00Z">Jun 25, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/06/gartners-top-10-security-projects-for-2019-container-security-makes-the-list/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1561398998/gartner-top-10-security-projects-blog-banner.jpg" alt="Gartner’s Top 10 Security Projects for 2019 - Container Security Makes the List" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Gartner’s Top 10 Security Projects for 2019 - Container Security Makes the List</a> <strong><small><time datetime="2019-06-24T08:00:00Z">Jun 24, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/06/getting-started-with-istio-service-mesh-what-is-it-and-what-does-it-do/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1561057347/getting-started-with-istio-blog-banner.jpg" alt="Getting started with Istio Service Mesh - What is it and what does it do?" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Getting started with Istio Service Mesh - What is it and what does it do?</a> <strong><small><time datetime="2019-06-20T00:00:00-07:00">Jun 20, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/05/what-the-palo-alto-twistlock-acquisition-means-for-container-security-market/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1559154522/palo-alto-networks-acquires-twistlock.jpg" alt="What the Palo Alto-Twistlock Acquisition Means for Container Security Market" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>What the Palo Alto-Twistlock Acquisition Means for Container Security Market</a> <strong><small><time datetime="2019-05-29T11:00:00-07:00">May 29, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/05/how-to-build-production-ready-kubernetes-clusters-and-containers/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1557509459/production-ready-k8s-cluster-blog-banner3.png" alt="How to Build Production-Ready Kubernetes Clusters and Containers" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>How to Build Production-Ready Kubernetes Clusters and Containers</a> <strong><small><time datetime="2019-05-09T00:00:00-07:00">May 09, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/04/setting-up-kubernetes-network-policies-a-detailed-guide/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1554501206/setting-up-kubernetes-network-policies-blog-banner.png" alt="Guide to Kubernetes Ingress Network Policies" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Guide to Kubernetes Ingress Network Policies</a> <strong><small><time datetime="2019-04-05T07:00:00Z">Apr 05, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/03/new-kubernetes-security-vulnerabilities-discovered-cve-2019-1002101-and-cve-2019-9946/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1553898024/new-k8s-vuln-blog-banner.png" alt="New Kubernetes Security Vulnerabilities Disclosed: CVE-2019-1002101 and CVE-2019-9946" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>New Kubernetes Security Vulnerabilities Disclosed: CVE-2019-1002101 and CVE-2019-9946</a> <strong><small><time datetime="2019-03-29T00:00:00-07:00">Mar 29, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/03/11-tips-to-operationalizing-kubernetes-admission-controllers-for-better-security/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1553299314/k8s-admin-controller-blog-banner.png" alt="11 Kubernetes admission controller best practices for security" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>11 Kubernetes admission controller best practices for security</a> <strong><small><time datetime="2019-03-22T07:00:00Z">Mar 22, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/01/critical-kubernetes-security-issues-resolved-in-recent-kubernetes-versions/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/v1546567729/update-to-latest-kubernetes-version-blog-banner.jpg" alt="7 Critical Kubernetes Security Issues Resolved by Upgrading Your k8s" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>7 Critical Kubernetes Security Issues Resolved by Upgrading Your k8s</a> <strong><small><time datetime="2019-01-03T00:00:00-08:00">Jan 03, 2019</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2018/03/breaking-bad-detecting-real-world-container-exploits/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/yathibreaking-1.jpg" alt="Detecting Docker Exploits and Vulnerabilities - Your How-to Guide" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Detecting Docker Exploits and Vulnerabilities - Your How-to Guide</a> <strong><small><time datetime="2018-03-08T00:00:00Z">Mar 08, 2018</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2017/08/csi-container-edition-forensics-in-the-age-of-containers/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/container-forensics.jpg" alt="Docker Forensics for Containers: How to Conduct Investigations" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Docker Forensics for Containers: How to Conduct Investigations</a> <strong><small><time datetime="2017-08-17T00:00:00Z">Aug 17, 2017</time></small></strong></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2017/08/hardening-docker-containers-and-hosts-against-vulnerabilities-a-security-toolkit/"><div class="img-wrapper"><img class="blog-img cld-responsive" data-src="https://web.archive.org/web/20210304001924/https://res.cloudinary.com/stackrox/w_auto,dpr_auto,c_scale,fl_lossy,f_auto/blog-hardening.jpg" alt="Hardening Docker containers, images, and host - security toolkit" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"></div>Hardening Docker containers, images, and host - security toolkit</a> <strong><small><time datetime="2017-08-10T00:00:00Z">Aug 10, 2017</time></small></strong></li></ul></div></aside></div></div></main><footer><div class="row"><div class="small-12 large-3 columns logo-collapse"><div class="logo-container"><div class="logo-gray"><span class="show-for-sr">StackRox</span></div></div><div><p>100 View Street, Suite 204<br>Mountain View, CA 94041</p><p class="half-space">+1 (650) 385-8329</p></div><div class="button-group social-icons"><a class="button button-facebook no-barba" target="_blank" href="https://web.archive.org/web/20210304001924/https://www.facebook.com/GoStackRox/" title="Connect with us on Facebook"><span class="show-for-sr">Share on Facebook</span> </a><a class="button button-twitter no-barba" target="_blank" href="https://web.archive.org/web/20210304001924/https://twitter.com/StackRox" title="Connect with us on Twitter"><span class="show-for-sr">Share on Twitter</span> </a><a class="button button-linkedin no-barba" target="_blank" href="https://web.archive.org/web/20210304001924/https://www.linkedin.com/company/stackrox" title="Connect with us on LinkedIn"><span class="show-for-sr">Share on LinkedIn</span></a></div><div><a href="/web/20210304001924/https://www.stackrox.com/contact/" class="button button-outline">Contact Us</a></div></div><div class="small-12 large-9 columns"><ul class="main-menu"><ul class="top-menu"><li><a href="/web/20210304001924/https://www.stackrox.com/why-stackrox/">Why StackRox</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/platform/">Platform</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/customers/">Customers</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/assets/">Resources</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/">Blog</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/wiki/">Wiki</a></li></ul><li><a class="menu-heading" href="#" tabindex="-1">Use Cases</a><ol><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/visibility/">Visibility</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/vulnerability-management/">Vulnerability Management</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/compliance/">Compliance</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/network-segmentation/">Network Segmentation</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/risk-profiling/">Risk Profiling</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/configuration-management/">Configuration Management</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/threat-detection/">Threat Detection</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/use-cases/incident-response/">Incident Response</a></li></ol></li><li><a class="menu-heading" href="#" tabindex="-1">Environments</a><ol><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/aws-security/">AWS</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/microsoft-azure-security/">Azure</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/docker-security/">Docker</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/gke-security-for-google-cloud-platform/">Google Cloud Platform</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/red-hat-openshift-security/">Red Hat OpenShift</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/pks-security/">Pivotal Container Service (PKS)</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/rancher-security/">Rancher</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/solutions/federal-agencies/">Federal Agencies</a></li></ol></li><li><a class="menu-heading" href="#" tabindex="-1">Featured Resources</a><ol><li><a href="https://web.archive.org/web/20210304001924/https://www.stackrox.com/post/2020/07/gke-security-best-practices-designing-secure-clusters/">GKE Security Best Practices</a></li><li><a href="https://web.archive.org/web/20210304001924/https://www.stackrox.com/wiki/cis-benchmarks-for-kubernetes/">CIS Benchmarks for Kubernetes</a></li><li><a href="https://web.archive.org/web/20210304001924/https://www.stackrox.com/wiki/pci-dss-compliance-containers-kubernetes/">PCI compliance in container and Kubernetes environments</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2020/05/kubernetes-security-101/">Kubernetes Security 101</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/docker-security-101/">Docker Security 101</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/amazon-eks-security-best-practices/">EKS Security Best Practices</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/04/setting-up-kubernetes-network-policies-a-detailed-guide/">Kubernetes Network Policies</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/09/12-kubernetes-configuration-best-practices/">Kubernetes Configuration Best Practices</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/08/istio-security-basics-running-microservices-on-zero-trust-networks/">Istio Security Basics</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/kubernetes-adoption-security-and-market-share-for-containers/">Kubernetes Adoption and Security Trends</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2019/03/11-tips-to-operationalizing-kubernetes-admission-controllers-for-better-security/">Admission Controllers</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/post/2017/08/hardening-docker-containers-and-hosts-against-vulnerabilities-a-security-toolkit/">Hardening Docker Containers and Images</a></li></ol></li><li><a href="#">Company</a><ul><li><a href="/web/20210304001924/https://www.stackrox.com/about/">About Us</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/team/">Team</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/partners/">Partners</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/news/#events">Upcoming Events</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/careers/">Careers</a></li><li><a href="/web/20210304001924/https://www.stackrox.com/news/">Newsroom</a></li></ul></li></ul></div></div><div class="row"><div class="small-12 columns"><ul class="copyright-bar"><li><a href="/web/20210304001924/https://www.stackrox.com/privacy/">Privacy Policy</a></li><li>© 2021 StackRox, Inc. All Rights Reserved</li></ul></div><canvas id="glcanvas" width="10" height="10">Your browser doesn't appear to support the <code>&lt;canvas&gt;</code> element.</canvas></div></footer></div></div><link rel="stylesheet" href="//web.archive.org/web/20210304001924cs_/https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css"><script src="//web.archive.org/web/20210304001924js_/https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js"></script><script src="https://web.archive.org/web/20210304001924js_/https://www.youtube.com/iframe_api"></script><script src="/web/20210304001924js_/https://www.stackrox.com/js/app.js"></script><script type="text/javascript">(function() { var didInit = false; function initMunchkin() { if (didInit === false) { didInit = true; Munchkin.init("219-UEH-533"); } } var s = document.createElement("script"); s.type = "text/javascript"; s.async = true; s.src = "//web.archive.org/web/20210304001924/https://munchkin.marketo.net/munchkin.js"; s.onreadystatechange = function() { if (this.readyState == "complete" || this.readyState == "loaded") { initMunchkin(); } }; s.onload = initMunchkin; document.getElementsByTagName("head")[0].appendChild(s); })();</script><script type="text/javascript">adroll_adv_id = "EQIFV4EMUBBIZE3KNNHEVM"; adroll_pix_id = "7WXFE56Q2BD23BF63XP6KE"; (function() { var _onload = function() { if (document.readyState && !/loaded|complete/.test(document.readyState)) { setTimeout(_onload, 10); return; } if (!window.__adroll_loaded) { __adroll_loaded = true; setTimeout(_onload, 50); return; } var scr = document.createElement("script"); var host = "https:" == document.location.protocol ? "https://web.archive.org/web/20210304001924/https://s.adroll.com" : "https://web.archive.org/web/20210304001924/http://a.adroll.com"; scr.setAttribute("async", "true"); scr.type = "text/javascript"; scr.src = host + "/j/roundtrip.js"; ((document.getElementsByTagName("head") || [null])[0] || document.getElementsByTagName("script")[0].parentNode).appendChild( scr ); }; if (window.addEventListener) { window.addEventListener("load", _onload, false); } else { window.attachEvent("onload", _onload); } })();</script><script type="text/javascript">_linkedin_partner_id = "670665"; window._linkedin_data_partner_ids = window._linkedin_data_partner_ids || []; window._linkedin_data_partner_ids.push(_linkedin_partner_id);</script><script type="text/javascript">(function() { var s = document.getElementsByTagName("script")[0]; var b = document.createElement("script"); b.type = "text/javascript"; b.async = true; b.src = "https://web.archive.org/web/20210304001924/https://snap.licdn.com/li.lms-analytics/insight.min.js"; s.parentNode.insertBefore(b, s); })();</script><noscript><img height="1" width="1" style="display:none" alt="" src="https://web.archive.org/web/20210304001924im_/https://dc.ads.linkedin.com/collect/?pid=670665&amp;fmt=gifhttps://dc.ads.linkedin.com/collect/?pid=670665&amp;fmt=gif"></noscript><script src="//web.archive.org/web/20210304001924js_/https://script.crazyegg.com/pages/scripts/0085/6637.js" async="async"></script><script type="text/javascript" async>(function(o, l, a, r, k, y) { if (o.olark) return; r = "script"; y = l.createElement(r); r = l.getElementsByTagName(r)[0]; y.async = 1; y.src = "//" + a; r.parentNode.insertBefore(y, r); y = o.olark = function() { k.s.push(arguments); k.t.push(+new Date()); }; y.extend = function(i, j) { y("extend", i, j); }; y.identify = function(i) { y("identify", (k.i = i)); }; y.configure = function(i, j) { y("configure", i, j); k.c[i] = j; }; k = y._ = { s: [], t: [+new Date()], c: {}, l: a }; })(window, document, "static.olark.com/jsclient/loader.js"); olark.identify("9065-461-10-6633");</script><script id="term-e7e5d07437489" src="https://web.archive.org/web/20210304001924js_/https://vidassets.terminus.services/a155e1b5-bd3e-4b22-8cd2-b0b038f30222/t.js"></script><script src="https://web.archive.org/web/20210304001924js_/https://js.adsrvr.org/up_loader.1.1.0.js"></script><script>ttd_dom_ready( function() { if (typeof TTDUniversalPixelApi === 'function') { var universalPixelApi = new TTDUniversalPixelApi(); universalPixelApi.init("xajqnye", ["tp8myc5"], "https://web.archive.org/web/20210304001924/https://insight.adsrvr.org/track/up"); } });</script></body></html><!-- FILE ARCHIVED ON 00:19:24 Mar 04, 2021 AND RETRIEVED FROM THE INTERNET ARCHIVE ON 02:48:04 Feb 18, 2025. JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE. ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C. SECTION 108(a)(3)). --> <!-- playback timings (ms): captures_list: 1.001 exclusion.robots: 0.044 exclusion.robots.policy: 0.033 esindex: 0.011 cdx.remote: 40.322 LoadShardBlock: 284.11 (3) PetaboxLoader3.datanode: 329.005 (4) PetaboxLoader3.resolve: 111.634 (2) load_resource: 190.318 -->