[Standardization] Baseline K8s cluster security (#415) #376
Conversation
cah-hbaum
added
Container
cah-hbaum
force-pushed
the
issue/415
branch
3 times, most recently
from
6ceff67
to
8502cef
Compare
|
This standard is written for now but probably needs a rework. Please make some improvements to the text or some proposals about additional hardening steps if they seem useful to you. What I also found problematic is that this standard is one of those that can't be made MANDATORY (so I couldn't write MUST for the entire standard), since not all clusters need to be "secure" or it's just not possible for specific setups. |
There was a problem hiding this comment.
Nice work, Hannes!
What we need to do is to start having a discussion with our container team:
- Do we find consensus on what we recommend and what we require?
- Can we implement all of this in Cluster Stacks? And could we at least implement this in good old k8s-cluster-api-provider? (We need to decide how much of this we still want to add to old v1 KaaS which has only a limited life time left --things that are risky, very tedious for us or have the effect of breaking users or requiring significant changes on their side are probably not good for our old solution.)
@jschoone - can you take it there?
cah-hbaum
force-pushed
the
issue/415
branch
2 times, most recently
from
5734b98
to
e564461
Compare
cah-hbaum
changed the title
|
Updated the document to be about baseline security measures just how it was exchanged with @joshmue. |
cah-hbaum
changed the title
|
Hi @bitkeks, @cah-hbaum and @joshmue. What's the state here? It looks like we have enough approvals to merge before it gets more complicated. |
|
LGTM, already approved! @artificial-intelligence has remaining changes that need to be resolved. |
|
TBF I don't know how to adapt the document to "appeal" more to the requested changes from @artificial-intelligence. Either he suggests some general changes (like he's written in his comment) or approves or we will be stuck here. |
|
Hi @artificial-intelligence, could you please add suggestions to your change requests? Otherwise we would like to merge, since this is in Draft state we can add improvements later. |
|
Pinging @artificial-intelligence again, since the last time was two weeks ago. I still don't know how to change the paragraphs up in order to make it compliant with your vision of them. |
I don't find it reasonable to expect from reviewers to redraft completely missing necessary implementation details for a standards document. This is work that is expected to be done by the authors of the document imho, because that is the main thing which needs to be done, when drafting such a document. I'll thus remove myself from the reviewers of the document. I don't have currently the time to write the necessary detailed spec to make authn and authz reasonable secure. As this is completely left for the implementer to decide - and people will get this wrong, sooner or later - I guess there is no consensus here on how to do secure RBAC authn/autz, so even if I had the time, I can't write something down when there is no consensus, which is the point of standards. I wish you good luck with the ongoing effort to secure Kubernetes. |
|
I don't seem to be able to remove myself from this review somehow. Two days ago I didn't show up when I removed myself. Now I'm again listed as a reviewer. |
artificial-intelligence
requested review from
artificial-intelligence
and removed request for
artificial-intelligence
|
Worked now it seems like. |
|
It seems github review is totally broken. I need to either request changes (I didn't want to request further changes) or I need to approve the change (I honestly don't want to approve it). But as we are stuck with this, I just "approved" this now. |
cah-hbaum
force-pushed
the
issue/415
branch
2 times, most recently
from
1662eab
to
6870bf0
Compare
This commit adds a standard for high security setups, which should increase the overall of a Kubernetes cluster. Signed-off-by: Hannes Baum <hannes.baum@cloudandheat.com>
Signed-off-by: Kurt Garloff <kurt@garloff.de>
Added some notes for the ports and shortened the motivation. Signed-off-by: Hannes Baum <hannes.baum@cloudandheat.com>
Renamed the file to better match its actual intention. Signed-off-by: Hannes Baum <hannes.baum@cloudandheat.com>
|
Merging this now, we will continue in #475 to address issues brought up here. |
This PR adds a standard for high security setups, which should increase the overall of a Kubernetes cluster.Edit: After communicating with @joshmue, this is being renamed into "Baseline K8s cluster security", since we only put up a few points which should be important for a starting security setup.
Closes SovereignCloudStack/issues#415