Improve security-related documentation

[sftim]

This is an umbrella issue

What would you like to be added Review and possibly revise the existing pages on the topic of Kubernetes security.

Why is this needed It's important to help readers understand how to make sure a Kubernetes cluster has appropriate security controls.

Comments

Look at the overall body of topics related to security context and policy. Do we have the right set of topics? Have we covered all the important points?. Is there overlap that could be reduced? Here are some of the existing topics:

• Security
• Controlling Access To The Kubernetes API
• TLS and tasks in that section
• Pod Security Policies
• Securing a Cluster
• Using RBAC Authorization
• Using Admission Controllers
• Network Policies
• Configure a Security Context for a Pod or Container After choosing a set of topics, apply the appropriate template: Concept or Task. Edit the topics to comply with our style guide. Check for accuracy and also fit against the CNCF cloud native security white paper

/sig security

[kbhawkey]

/triage accepted

[kbhawkey]

The docs security overview concept page contains a table of links as well as more links (Secrets, encryption at rest, ...) at the bottom of the page.

[sftim]

I reckon it'd be handy if we could find a way to link to https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ and maybe draw inspiration from https://aws.github.io/aws-eks-best-practices/security/docs/

[savitharaghunathan]

/priority important-longterm

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[kbhawkey]

/remove-lifecycle stale

[sftim]

Also see issue #27515

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[savitharaghunathan]

/remove-lifecycle rotten

[sftim]

https://github.com/kubernetes/website/issues/27370#issuecomment-900397304 feels relevant too

[sftim]

/remove-lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[savitharaghunathan]

/remove-lifecycle stale

[shannonxtreme]

/lifecycle frozen

[sftim]

Is this issue still needed? It might be too broad.

[shannonxtreme]

Might be too broad yes. I think there are useful asks in it though. Some have been improved on since this was opened. Maybe this could morph into a collection of the various umbrella issues like ServiceAccount, Secrets, etc? Or we can just close this

[raesene]

One point on this is that I think "securing a cluster" would be replaced by a combination of the hardening guide that's in progress and the security checklist.

[sftim]

If people have bookmarked https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ and go to that URL, what should (eventually) happen?

[sftim]

Also see https://github.com/kubernetes/website/issues/44169

[sftim]

Also see https://github.com/kubernetes/website/issues/44430

[adityasamant25]

Will it be good to add more content to the Security Tutorials on topics that complement Kubernetes security by using 3rd party tools? I'm thinking of step-by-step guides that people can follow along on their local K8S clusters (minikube?).

Topic examples could be implementing policies using OPA Gatekeeper, Runtime sandboxes like gvisor, trivy for vulnerability scanning etc. I know these topics are discussed in older blog posts or the community forums, but could be good to have them listed in the official tutorials. The basic commands and tutorials can be explained with reference to the official documentation of the 3rd party tools if people want to get into the details.

[kumarankit999]

Yes, @adityasamant25 I'm agree with you that we can add more content like this above!!

[sftim]

Topic examples could be implementing policies using OPA Gatekeeper, Runtime sandboxes like gvisor, trivy for vulnerability scanning etc. I know these topics are discussed in older blog posts or the community forums, but could be good to have them listed in the official tutorials.

Those might be better handled as newer blog posts. We try not to document too much about 3rd party software, as it is harder to maintain. If the original blog article's author supports it, we could also link a new article to the previous article and vice versa.

[kumarankit999]

Yes @sftim, how are we achieving that?

[sftim]

Yes @sftim, how are we achieving that?

My role here is principally as reporter; I'm the person who suggested that an improvement is needed.

Specifically to @adityasamant25's question:

Will it be good to add more content to the Security Tutorials on topics that complement Kubernetes security by using 3rd party tools?

then the answer is in my opinion ”No”.

If you'd like to write more blogs about using 3rd party tools to secure your cluster, that could be handy. I think using a separate issue to track that work would help, though. Doing that leaves this issue to track the topic at hand.

[sftim]

Also see https://github.com/kubernetes/website/issues/48546