Security recommendation/hardening guide for applications that use Kubernetes client

[AnshumanTripathi]

Create a security recommendation/hardening guide for applications that use the Kubernetes client. This could include different use-cases like:

1. Creating an application which runs kubectl commands.
2. An application that uses the Kubernetes client
3. A Kubernetes Operator

[chadmcrowell]

Hello, I'd like to contribute here. Just to be clear, the guide would focus on the security recommendations for applications interacting with the Kubernetes API? I can contribute in the following ways to recommend:

• handling of sensitive data (e.g. config, secrets, user creds)
• corruption of data or tampering
• security controls for principle of least privilege
• tightening up RBAC
• dependency control and vulnerability management
• enforcing network policy
• security of apps to maximize availability
• reduce attack vectors, and maintaining isolated workloads
• compliance and audit requirements
• supply chain attack prevention
• establish zero-trust for apps interacting with Kubernetes

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale