On this page: Conclusions, take-aways, and next steps.
My personal religion is to believe that pretending tools can do the same job as a good security review of a Kubernetes cluster, is the first stage of the a-Pod-calypse (yeah, I said it!). Kubernetes is sensitive and doesn’t like to be judged by tools.
While there are some things you should consider tooling up for like vulnerability scanning, runtime security verification, and storage permission checks, you’ll never be able to definitively conclude its overall risk without the context of its environment.
And if you work within a security team, you don’t always have the privilege of just diving into a problem and fixing it. Or maybe you know that you just don’t know enough to fix the problems, let alone identify them. This guide was aimed at helping you there.
If you’d like a concise, quick guide you can easily reference, I’ve created a cheatsheet with the key points and commands to remember.
Sign up for the free tl;dr sec newsletter at the bottom and I’ll send you the cheatsheet, and a PDF version of this guide!
May you stay safe and keep your risks to a quantifiable minimum.