Benchmarking cluster security and how to improve it.
We use KubeSec to scan kubernetes resource and score them against known issues
Run an active or passive scanning of vulnerabilities on your cluster
- CICD Scanner for container images
- Container image scanning in the registry
- Policies are important for governance on top of kubernetes.
- Advanced AdmController Guide
- PodSecurityPolicies
- Most of the time running vault in your cluster is a huge undertaking
- If you have a full pledged secops team with a good understanding of kubernetes operators to run vault operator then it is preferred
- However in the case of most dev teams we need a lightweight solution like sealed secrets to start encrypting secrets in gitops fashion
- https://engineering.bitnami.com/articles/sealed-secrets.html
- https://github.com/weaveworks/flux-get-started/blob/master/releases/redis-auth.yaml
- https://github.com/stefanprodan/gitops-helm#managing-kubernetes-secrets
- Kube Bench allows you to do the scanning of your cluster against the CIS benchmarks
- Here is the Security Benchmark
- https://www.cisecurity.org/benchmark/kubernetes/