From f15544ff9579eeb008c0a525693a26950eb8469e Mon Sep 17 00:00:00 2001 From: Hannes Baum Date: Thu, 7 Dec 2023 14:48:37 +0100 Subject: [PATCH] Baseline cluster security (#414) Renamed the file to better match its actual intention. Signed-off-by: Hannes Baum --- ...md => scs-0216-v1-baseline-cluster-security.md} | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) rename Standards/{scs-0216-v1-cluster-baseline-security.md => scs-0216-v1-baseline-cluster-security.md} (94%) diff --git a/Standards/scs-0216-v1-cluster-baseline-security.md b/Standards/scs-0216-v1-baseline-cluster-security.md similarity index 94% rename from Standards/scs-0216-v1-cluster-baseline-security.md rename to Standards/scs-0216-v1-baseline-cluster-security.md index 18506ccda..9692173ed 100644 --- a/Standards/scs-0216-v1-cluster-baseline-security.md +++ b/Standards/scs-0216-v1-baseline-cluster-security.md @@ -24,8 +24,8 @@ Kubernetes clusters are highly configurable, which also gives rise to different problems, if the configuration isn't done properly. These security risks can potentially be exposed in many different parts of a cluster, e.g. different APIs, authorization and authentication procedures or even Pod privilege mechanisms. -In order to mitigate these problems, different hardening and prevention steps and mechanisms -could be used to increase the security of a Kubernetes setup. +In order to mitigate these problems, different steps and mechanisms could be used to increase +the security of a Kubernetes setup. ## Design Considerations @@ -53,7 +53,7 @@ a reference to the CA keypair, which was used in the previous example to sign a ### Protected Kubernetes endpoints -In order to secure a Kubernetes cluster, the protection and hardening of endpoints is important. +In order to secure a Kubernetes cluster, the protection of endpoints is important. To do this, different approaches can be taken. #### TLS for all internal/API traffic @@ -107,11 +107,11 @@ After that, the Kubelet calls the `SubjectAccessReview` API in order to determin ## Decision -This standard tries to increase security for a Kubernetes cluster and harden it in order -to provide a high security setup. For this to work, multiple measures need to be undertaken. +This standard tries to increase security for a Kubernetes cluster in order to provide a +solid baseline setup with regard to security. For this to work, multiple measures need to be undertaken. It is important to note that this standard is not REQUIRED for all clusters, -but instead gives best practices for increasing security. Nevertheless, if a cluster is -provided on the basis of high security, this standard MUST be applied. +but instead gives best practices for increasing security. Nevertheless, if a cluster is claiming +to be secure, this standard must be applied. A self-controlled CA SHOULD be used in order to be in control of the TLS certificates, which enables the operator to provide and revoke certificates according to the requirements.