# Security

# Work environment

  • Enable auto updates in OS.
  • For Windows users:
    • Use licensed Windows.
    • Use Anti-Virus software.
    • Use Firewall software.

# Kubernetes

  • Etcd must be encrypted.
  • Etcd's backups must be encypted and stored on our S3 instance. We must validate that the backups are valid twice a year.
  • CIS Benchmark must be automatically performed every 1-2 days.
  • (WIP) Audit log (opens new window) and Falco (opens new window) must be configured on each master nodes.
  • Do not assign any permissions for default service account.
  • Prevent accessing to Kube API from pods.

Specify requests and limits (opens new window) для подов.

  allowPrivilegeEscalation: false
  readOnlyRootFileSystem: false
  runAsNonRoot: true


# Docker

  • Use specific version number of image instead of :latest.
  • Prefer to use official (hub.docker.com/_/) images or build on our Gitlab. If you really need 3rd party image, check it and scan witthrough Trivy, then specify sha256: signature of the image.

Use multi-stage build (opens new window) to decrease the image size.

  • Make /etc read-only:

    RUN chmod a-w /etc
  • Run the app in the container as a user instead of root:

    RUN groupadd -r app && useradd --no-log-init -r -g app app. USER app
  • Delete shell:

    RUN rm -rf /bin/*


# Checklist

Please read section with stage examples.

Last Updated: 10/28/2021, 8:19:03 AM