Chapter 3. Cluster Hardening
The domain “cluster hardening” touches on topics important to keep a cluster as secure as possible once it has been set up and configured initially. As part of the discussion of this chapter, you may notice that I will reference concepts and practices that usually fall into the hands of Kubernetes administrators. Where appropriate, I will provide links to the topics that have already been covered by the CKA exam.
At a high level, this chapter covers the following concepts:
-
Restricting access to the Kubernetes API
-
Configuring role-based access control (RBAC) to minimize exposure
-
Exercising caution in using service accounts
-
Updating Kubernetes frequently
Interacting with the Kubernetes API
The API server is the gateway to the Kubernetes cluster. Any human user, client (e.g., kubectl), cluster component, or service account will access the API server by making a RESTful API call via HTTPS. It is the central point for performing operations like creating a Pod, or deleting a Service.
In this section, we’ll only focus on the security-specific aspects relevant to the API server. For a detailed discussion on the inner workings of the API server and the usage of the Kubernetes API, refer to the book Managing Kubernetes by Brendan Burns and Craig Tracey (O’Reilly).
Processing a Request
Figure 3-1 illustrates the stages a request goes through when a call is made to the API server. For reference, you can find more information in the Kubernetes documentation ...
Get Certified Kubernetes Security Specialist (CKS) Study Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
