Baseline cluster security (#414)

Renamed the file to better match its actual intention. Signed-off-by: Hannes Baum <hannes.baum@cloudandheat.com>
SovereignCloudStack · Jan 4, 2024 · 349f9ed · 349f9ed
1 parent 5e6a6f3
commit 349f9ed
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/.../scs-0216-v1-cluster-baseline-security.md → .../scs-0217-v1-baseline-cluster-security.md b/.../scs-0216-v1-cluster-baseline-security.md → .../scs-0217-v1-baseline-cluster-security.md
@@ -24,8 +24,8 @@ Kubernetes clusters are highly configurable, which also gives rise to different
 problems, if the configuration isn't done properly.
 These security risks can potentially be exposed in many different parts of a cluster, e.g.
 different APIs, authorization and authentication procedures or even Pod privilege mechanisms.
-In order to mitigate these problems, different hardening and prevention steps and mechanisms
-could be used to increase the security of a Kubernetes setup.
+In order to mitigate these problems, different steps and mechanisms could be used to increase
+the security of a Kubernetes setup.
 
 ## Design Considerations
 
@@ -53,7 +53,7 @@ a reference to the CA keypair, which was used in the previous example to sign a
 
 ### Protected Kubernetes endpoints
 
-In order to secure a Kubernetes cluster, the protection and hardening of endpoints is important.
+In order to secure a Kubernetes cluster, the protection of endpoints is important.
 To do this, different approaches can be taken.
 
 #### TLS for all internal/API traffic
@@ -107,11 +107,11 @@ After that, the Kubelet calls the `SubjectAccessReview` API in order to determin
 
 ## Decision
 
-This standard tries to increase security for a Kubernetes cluster and harden it in order
-to provide a high security setup. For this to work, multiple measures need to be undertaken.
+This standard tries to increase security for a Kubernetes cluster in order to provide a
+solid baseline setup with regard to security. For this to work, multiple measures need to be undertaken.
 It is important to note that this standard is not REQUIRED for all clusters,
-but instead gives best practices for increasing security. Nevertheless, if a cluster is
-provided on the basis of high security, this standard MUST be applied.
+but instead gives best practices for increasing security. Nevertheless, if a cluster is claiming
+to be secure, this standard must be applied.
 
 A self-controlled CA SHOULD be used in order to be in control of the TLS certificates, which
 enables the operator to provide and revoke certificates according to the requirements.