Kubernetes cluster hardening standard (previously "K8s cluster baseline security") #581
Conversation
cah-hbaum
added
security
cah-hbaum
added
standards
cah-hbaum
force-pushed
the
issue/475-update-baseline-cluster-security-standard
branch
2 times, most recently
from
14a726d to
472a80e
Compare
cah-hbaum
force-pushed
the
issue/475-update-baseline-cluster-security-standard
branch
2 times, most recently
from
2d9145b to
cd76a26
Compare
There was a problem hiding this comment.
I like the clear explanation of concepts before recommending something, but it could be argued that these in depth details should not be part of the standard itself. I myself find it very handy to have the reasoning in the same file as the decisions itself.
I would like to hear more opinions on this, though (I could imagine @mbuechse has something to say about this from a meta-standard perspective?) because I think the standard at least somewhat deviates in this regard from our other standards.
One solution could be to move the explanations into a dedicated file, but we could as well just keep this as-is. I have no strong opinion on this matter myself, I just wanted to mention it because I think other people might have objections in this regard.
The standard looks mostly good to me, I have made some comments regarding wording and some - I think - incomplete sentences need fixing.
cah-hbaum
requested review from
artificial-intelligence,
chess-knight and
mbuechse
cah-hbaum
force-pushed
the
issue/475-update-baseline-cluster-security-standard
branch
from
a2adca5 to
4b431bd
Compare
|
Rebased the branch. |
There was a problem hiding this comment.
Wow, this is impressive. One problem I have is to find what the standard requires of me. There is a lot of recommendations and best practice suggestions. But can we (in principle) make a succinct list of requirements? Could you please work on an MVP for a test? I think tests are very important to make clear what the standard really requires, and whether it's practical.
There was a problem hiding this comment.
Sorry, I totally missed the section "Standard". Okay, so we have a succinct list. I think we can drop the introductory paragraph from that section, but I would add a remark somewhere in the beginning of the "Hardening Kubernetes" paragraph that "Hardening Kubernetes" is not authoritative, and that the "Standards" section contains the authoritative part.
cah-hbaum
force-pushed
the
issue/475-update-baseline-cluster-security-standard
branch
from
4b431bd to
b602e3a
Compare
Updated the paragraphs just as mentioned by @mbuechse |
Update baseline cluster security Signed-off-by: Hannes Baum <[email protected]>
cah-hbaum
force-pushed
the
issue/475-update-baseline-cluster-security-standard
branch
from
b602e3a to
b44a0ee
Compare
There was a problem hiding this comment.
LGTM!
I'm approving the draft because it's good work and covers a lot of aspects. The standard paragraph makes sense to me.
Of course these kind of guides always have room for debates around scope and requirements. Does not mean I object to other people's inputs and improvement suggestions 😉
Made a small adjustment to read-only port section in order to address some mentions by @bitkeks. Signed-off-by: Hannes Baum <[email protected]>
Made a small adjustment to related documents in order to address some mentions by @bitkeks. Signed-off-by: Hannes Baum <[email protected]>
|
This is ready to merge. I trust that you did what you said. So I won't review it now. You can proceed. |
|
Merging! |
cah-hbaum
deleted the
issue/475-update-baseline-cluster-security-standard
branch
The "Baseline K8s cluster security" was created previously. In the PR (#376) there were some discussions about the structure and overall usefulness of the standard.
This issue should adapt the standard (since it is still in the draft phase) in order to better adhere to the requirements brought forward.
The standard was also retitled to "Kubernetes cluster hardening".