-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating application security checklist #46326
base: main
Are you sure you want to change the base?
Creating application security checklist #46326
Conversation
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
252c1b0
to
1dae29a
Compare
content/en/docs/concepts/security/application-security-checklist.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/application-security-checklist.md
Outdated
Show resolved
Hide resolved
/remove-sig release |
content/en/docs/concepts/security/application-security-checklist.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/application-security-checklist.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/application-security-checklist.md
Outdated
Show resolved
Hide resolved
This looks good :)! I think it's a very valuable checklist for app developers. |
ad29660
to
78f4f72
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First of all, great job, I think this document is a great addition.
But here are my thoughts.
First, my question is, for whom is this document written for? Is it the 85-90% of app developers that run an http API or an event based app in a non-critical environment that just wants a good base layer? Or are we trying to point to all security features that exist from an app developer point of view?
Personally, I think we should aim this document mainly towards the 85-90% of the users.
Especially since there is a tendency to want to be able to complete everything on a checklist, but if it becomes too painful, you end up doing nothing.
See keep it relatively simple and provide some kind of leveling system.
I would add a header called ## base security. In there I would add the most basic stuff.
Then I would add another header, ## advanced security, or something like that.
I would keep everything you have written, but I would move these down to advanced security
- rbac, if you are using rbac in your http api, you are most likely doing something wrong. I would emphasize that really hard in the document.
- runtime class, custom runetime classes isn't something that the majority of Kubenetes environment will use.
- Seccomp profiles, It's more or less impossible to setup unless you have some kind of tooling + since version 1.25 the default profile is enabled by default.
- SElinux, most developers don't know what it is and just like secomp profile you more or less need tooling to create something decent.
- AppArmor, even fewer people know what it is, and you need custom tooling to create something more advanced than default.
Thanks for the detailed response. I like this format and I will try to update the document accordingly.
I did realize that identifying the target audience is key here and then keeping the list generic so that it can be used by everyone. Because app developers can consist of tools that can be running cluster wide like log and metric collectors or policy agents. This is where the line between admins and developers start to blur. I'll try to add more details about the target audience for this list. |
78f4f72
to
a93d643
Compare
@NissesSenap I have updated the checklist structure based on your recommendation. Can you expand on
I'm not sure what you mean here. |
a93d643
to
c1c6f4a
Compare
That is great @AnshumanTripathi , I will try to take a deeper look at the update as soon as possible. My point is that the majority of all apps ruining in Kubernetes don't need access to its API. So I would emphasize that custom rbac rules for apps just aren't needed, in the majority of applications. Still good to talk about it, just like you have, but point to that there are limited use cases for it. |
Makes sense. I am not covering applications using Kubernetes client as a part of this checklist. I think having a doc about secure practices for applications that use the Kubernetes API (and operator) can be very helpful. I will create an issue for this :) |
@NissesSenap created kubernetes/sig-security#121 for hardening guide for using Kubernetes API |
Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com> Update based on feedback Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com> Update based on feedback Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com> Update checklist reading guide Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com> Update checklist structure based on feedback Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>
c1c6f4a
to
4f75e48
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I'd suggest we place this under |
Actually we can move this checklist and the existing checklist to |
The I don't think we want to kick this in and then follow up with another PR to move it. |
Makes sense. I'll try to make that change |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! We could really use this new page.
Here's some advice about how to get this ready to merge.
|
||
For sensitive workloads consider using Kernel emulation tools like [gVisor](https://gvisor.dev/docs/) or [kata-containers](https://katacontainers.io/). | ||
|
||
In high trust environments, consider using [confidential virutal machines](/blog/2023/07/06/confidential-kubernetes/) to improve cluster security even further. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In high trust environments, consider using [confidential virutal machines](/blog/2023/07/06/confidential-kubernetes/) to improve cluster security even further. | |
In high trust environments, consider using [confidential virtual machines](/blog/2023/07/06/confidential-kubernetes/) to improve cluster security even further. |
Watch out for linking to non-evergreen blog articles (anything that gets marked as out of date once at least a year old).
|
||
Some containers may require a different isolation level from what is provided by the default runtime of the cluster. `runtimeClassname` can be used in a podspec to define a differnt runtime class. | ||
|
||
For sensitive workloads consider using Kernel emulation tools like [gVisor](https://gvisor.dev/docs/) or [kata-containers](https://katacontainers.io/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kata containers is not a kernel emulator:
For sensitive workloads consider using Kernel emulation tools like [gVisor](https://gvisor.dev/docs/) or [kata-containers](https://katacontainers.io/). | |
For sensitive workloads consider using kernel emulation tools like [gVisor](https://gvisor.dev/docs/), or virtualized isolation using a mechanism such as [kata-containers](https://katacontainers.io/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
This page needs a third party links disclaimer; see https://kubernetes.io/docs/contribute/style/hugo-shortcodes/#third-party-content-marker
-
API verbs like apply and create are written as lower case bold. We use upper case non bold when documenting verbs at the underlying HTTP level (eg OPTIONS, PUT, GET).
-
(nit) When a sentence ends with a period, ie
.
, don't include the period inside the anchor text of a hyperlink.
The following checklist provide a base security hardening recommendations that would apply to most applications deploying to Kubernetes. | ||
|
||
### Application design | ||
- [ ] Following the right [design principles for the application.](https://kubernetes.io/blog/2018/03/principles-of-container-app-design/) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't recommend linking to that article. Find a better source, such as https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf
- [ ] CPU limit might be set on sensitive workloads. | ||
|
||
### Service account | ||
- [ ] Avoid using `default` service account. Create service accounts for workloads. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- [ ] Avoid using `default` service account. Create service accounts for workloads. | |
- [ ] Avoid using the `default` ServiceAccount. Create ServiceAccounts for each workload or microservice. |
### Container Security Context | ||
- [ ] Disable privilege escalations using `allowPrivilegeEscalation: false`. | ||
- [ ] Configure the root filesystem to be read-only with `readOnlyRootFilesystem: true`. | ||
- [ ] Avoid running privileged containers with `privileged: false`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- [ ] Avoid running privileged containers with `privileged: false`. | |
- [ ] Avoid running privileged containers (set `privileged: false`). |
- [ ] Avoid using `default` service account. Create service accounts for workloads. | ||
- [ ] `automountServiceAccountToken` should be set to `false` unless the pod specifically requires access to the Kubernetes API to operate. | ||
|
||
### Pod Security Context |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### Pod Security Context | |
### Pod-level `securityContext` recommendations {#security-context-pod} |
- [ ] Optionally add a supplimentary group with `fsGroup` to access persistent volumes. | ||
- [ ] Appropriate Pod Security Standard policies are enforced to all pods in the application namespace. | ||
|
||
### Container Security Context |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### Container Security Context | |
### Container-level `securityContext` recommendations {#security-context-container} | |
- [ ] Set `runAsNonRoot: true`. | ||
- [ ] Configure User permissions and access controls using `runAsUser` and `runAsGroup`. | ||
- [ ] Optionally add a supplimentary group with `fsGroup` to access persistent volumes. | ||
- [ ] Appropriate Pod Security Standard policies are enforced to all pods in the application namespace. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this:
- [ ] Appropriate Pod Security Standard policies are enforced to all pods in the application namespace. | |
- [ ] The application deploys into a namespace that enforces an appropriate _Pod security standard_. | |
If you cannot control this enforcement for the cluster(s) where the application is deployed, | |
take this into account either through documentation or additional defense in depth. |
- [ ] Avoid creating RBAC permissions to create or update roles which can lead to [privilege escalation](/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping). | ||
- [ ] Review bindings for the `system:unauthenticated` group and remove them where possible, as this gives access to anyone who can contact the API server at a network level. | ||
|
||
The `create`, `update` and `delete` should be used judicously. The `patch` permission can [allow users to update labels on the namespace or deployments](/docs/concepts/security/rbac-good-practices/#namespace-modification) which can increase the attack surface. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Try this:
The `create`, `update` and `delete` should be used judicously. The `patch` permission can [allow users to update labels on the namespace or deployments](/docs/concepts/security/rbac-good-practices/#namespace-modification) which can increase the attack surface. | |
The **create**, **update** and **delete** verbs should be permitted judiciously. The **patch** verb if allowed on a Namespace can | |
[allow users to update labels on the namespace or deployments](/docs/concepts/security/rbac-good-practices/#namespace-modification) which can increase the attack surface. | |
For sensitive workloads, consider providing a recommended ValidatingAdmissionPolicy that further restricts the permitted write actions. |
Creating an application security checklist.
Issue
kubernetes/sig-security#111
Deploy Preview
https://deploy-preview-46326--kubernetes-io-main-staging.netlify.app/docs/concepts/security/application-security-checklist/