Initial commit
This commit is contained in:
Zhongwei Li
@@ -0,0 +1,34 @@
|
||||
---
|
||||
description: Kubernetes hardening (RBAC, admission policies, network policies, secrets, supply chain)
|
||||
languages:
|
||||
- javascript
|
||||
- yaml
|
||||
alwaysApply: false
|
||||
---
|
||||
|
||||
rule_id: codeguard-0-cloud-orchestration-kubernetes
|
||||
|
||||
## Cloud & Orchestration (Kubernetes)
|
||||
|
||||
Kubernetes cluster and workload hardening: identity, policy, networking, secrets, and supply chain controls.
|
||||
|
||||
### Controls
|
||||
- Identity & RBAC: least privilege for users and service accounts; separate namespaces; bind only needed roles.
|
||||
- Policy: admission controls (OPA/Gatekeeper/Kyverno) for image sources, capabilities, root, network policies, and required labels/annotations.
|
||||
- Networking: default‑deny with network policies; explicit egress allow‑lists; service identity/mTLS within mesh where applicable.
|
||||
- Secrets: use KMS providers; avoid plaintext in manifests; rotate regularly; restrict secret mount paths.
|
||||
- Nodes: hardened OS, auto‑updates, minimal attack surface; isolate sensitive workloads with taints/tolerations and dedicated nodes.
|
||||
- Supply chain: verify image signatures; enforce provenance (SLSA/Sigstore) in admission.
|
||||
|
||||
### Checklist
|
||||
- Namespaces per team/app; RBAC roles scoped; audit logging enabled.
|
||||
- Admission policies enforce image provenance, non‑root, dropped capabilities, read‑only root FS, and network policy presence.
|
||||
- Network policies in place for ingress/egress; service accounts scoped per deployment.
|
||||
|
||||
### Verification
|
||||
- Cluster conformance and CIS benchmark scans.
|
||||
- Policy tests in CI for manifests (OPA unit tests); periodic admission dry‑run.
|
||||
|
||||
### Incident Readiness
|
||||
- Enable audit logs and centralize; restrict access to etcd; backup/restore tested.
|
||||
- Define break‑glass roles with MFA and time‑bound approvals.
|
||||
Reference in New Issue
Block a user