kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #40915 from mrgiles/37738_securing_cluster_checklist_align 

Add links between Securing a Cluster and Security Checklist for alignment
pull/41159/head
Kubernetes Prow Robot 2023-05-15 13:45:34 -07:00 committed by GitHub
parent c2a387e668 19a3dc0f6f
commit 821ca22ac1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/en/docs/concepts/security/security-checklist.md
View File

@ -423,6 +423,8 @@ alpha state but could be considered for certain use cases:
- [RBAC Good Practices](/docs/concepts/security/rbac-good-practices/) for
further information on authorization.
- [Securing a Cluster](/docs/tasks/administer-cluster/securing-a-cluster/) for
information on protecting a cluster from accidental or malicious access.
- [Cluster Multi-tenancy guide](/docs/concepts/security/multi-tenancy/) for
configuration options recommendations and best practices on multi-tenancy.
- [Blog post "A Closer Look at NSA/CISA Kubernetes Hardening Guidance"](/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/#building-secure-container-images)

7
content/en/docs/tasks/administer-cluster/securing-a-cluster.md
View File

@ -224,7 +224,7 @@ The shorter the lifetime of a secret or credential the harder it is for an attac
use of that credential. Set short lifetimes on certificates and automate their rotation. Use
an authentication provider that can control how long issued tokens are available and use short
lifetimes where possible. If you use service-account tokens in external integrations, plan to
rotate those tokens frequently. For example, once the bootstrap phase is complete, a bootstrap
rotate those tokens frequently. For example, once the bootstrap phase is complete, a bootstrap
token used for setting up nodes should be revoked or its authorization removed.
### Review third party integrations before enabling them
@ -255,7 +255,7 @@ and may grant an attacker significant visibility into the state of your cluster.
your backups using a well reviewed backup and encryption solution, and consider using full disk
encryption where possible.
Kubernetes supports optional [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) for information in the Kubernetes API.
Kubernetes supports optional [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) for information in the Kubernetes API.
This lets you ensure that when Kubernetes stores data for objects (for example, `Secret` or
`ConfigMap` objects), the API server writes an encrypted representation of the object.
That encryption means that even someone who has access to etcd backup data is unable
@ -272,3 +272,6 @@ group for emails about security announcements. See the
page for more on how to report vulnerabilities.
## What's next
- [Security Checklist](/docs/concepts/security/security-checklist/) for additional information on Kubernetes security guidance.