# Security
# Work environment
- Enable auto updates in OS.
- For Windows users:
- Use licensed Windows.
- Use Anti-Virus software.
- Use Firewall software.
# Kubernetes
- Etcd must be encrypted.
- Etcd's backups must be encypted and stored on our S3 instance. We must validate that the backups are valid twice a year.
- CIS Benchmark must be automatically performed every 1-2 days.
- (WIP) Audit log (opens new window) and Falco (opens new window) must be configured on each master nodes.
- Do not assign any permissions for default service account.
- Prevent accessing to Kube API from pods.
Specify requests and limits (opens new window) для подов.
- Configure Liveness, Readiness, and Startup Probes (opens new window) .
- Use official images as base images, build on our side or specify digital signature (sha) of the 3rd-party image.
- Test images for vulnerability with Trivy in CI/CD Pipeline before deploying stage.
- Create network policies (opens new window) for 3rd party deployments.
- Specify securityContext (opens new window) for 3rd party Deployments
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFileSystem: false
runAsNonRoot: true
Optional:
- Configure Container Lifecycle Hooks (opens new window).
- Add PodDisruptionBudget (opens new window) for your deployment.
- Add HorizontalPodAutoscaler (opens new window) if load on the sevice can change over time.
# Docker
- Use specific version number of image instead of
:latest
. - Prefer to use official (
hub.docker.com/_/
) images or build on our Gitlab. If you really need 3rd party image, check it and scan witthrough Trivy, then specifysha256:
signature of the image.
Use multi-stage build (opens new window) to decrease the image size.
Make
/etc
read-only:RUN chmod a-w /etc
Run the app in the container as a user instead of root:
RUN groupadd -r app && useradd --no-log-init -r -g app app. USER app
Delete shell:
RUN rm -rf /bin/*
# CI/CD
# Checklist
- Run linters.
- Run vulnerability checkers.
- Run static analysers.
- Run tests.
- Validate deployments (opens new window).
Please read section with stage examples.