21 docs tagged with "best-practice"

How to prevent pods from accessing cloud provider metadata services (IMDS) and stealing IAM credentials in Kubernetes.

How to use supplementalGroupsPolicy: Strict to prevent container images from injecting unauthorized supplemental group IDs into Kubernetes pod processes.

Learn strategies to mitigate Distributed Denial-of-Service (DDoS) attacks in Kubernetes clusters.

Protect CoreDNS from spoofing, cache poisoning, DNS tunneling, and unauthorized modifications to enhance Kubernetes cluster security.

How to configure Linux capabilities in Kubernetes pod security contexts to prevent privilege escalation and reduce the container attack surface.

Restrict and monitor outbound traffic from Kubernetes workloads to prevent data exfiltration, command-and-control communication, and unauthorized external access.

How to use KubeletFineGrainedAuthz (GA in Kubernetes v1.36) to grant least-privilege access to specific kubelet API endpoints without the broad nodes/proxy permission.

Best practices to prevent the exposure of sensitive data in Kubernetes through secure secrets management techniques and external secret stores.

Overview of Kubernetes Kubelet security covering authentication, authorization, TLS, resource limits, and hardening best practices.

How to configure Kubernetes audit logging to record API server activity for security monitoring, incident detection, and compliance requirements.

Explore how Network Policies in Kubernetes control traffic flow and enhance security.

Learn how Kubernetes Pod Security Standards (PSS) enforce security controls for workloads and replace the deprecated Pod Security Policies (PSP).

Why the gitRepo volume driver was removed in Kubernetes v1.36, and how to migrate existing workloads to the init container pattern recommended by kubernetes.io.

How to restrict anonymous access to the Kubernetes API server to specific endpoints using AuthenticationConfiguration, stable since Kubernetes 1.34.

How to control ephemeral container and kubectl debug access through RBAC, Pod Security Standards, and admission control in Kubernetes.

How to disable kubelet anonymous authentication, configure certificate-based authentication, and implement proper authorization to protect Kubernetes nodes.

How to protect Kubernetes PersistentVolumes from unauthorized access, data exposure, and cross-namespace attacks through proper configuration and RBAC.

Best practices for protecting the Kubernetes API server against unauthorized access and exploitation.

Improve Kubernetes security by implementing mutual TLS (mTLS), zero-trust networking, and policy-based access control using service meshes like Istio, Linkerd, and Cilium.

How to safely configure kernel parameters via sysctls in Kubernetes pods, distinguish safe from unsafe sysctls, and enforce restrictions using Pod Security Standards.

How to use Linux user namespaces in Kubernetes pods to isolate container UIDs from the host and reduce the blast radius of container escapes.