Based in San Francisco Bay Area, Securesql is a blog by John Menerick. His insights dissect complex systems, offering a masterclass in cyber guardianship through expert analysis and cutting-edge protective strategies.

Kubernetes Add-Ons (3rd party integrations)

John Menerick

Overview

Many Add-ons (third party integrations) alter the risk and security posture of a cluster (or sets of clusters.). Always review the integration permissions prior to enabling access. Some permissions may not be obvious in their resulting risk so pay particular attention. For instance, there exist multiple secrets providers (via sidecars) that require full access to all cluster secrets. What may not be obvious is that will lead to the integration having the privileges to become a cluster administrator. Try to restrict the integration to a few namespaces as possible and be wary of any which need access to the administrative namespaces.

There exists a number of older add-ons that appear to be deployed with nearly every cluster. Kubernetes Dashboard is one such integration. Beware and please disable these integrations that requires full cluster access via a service account. If one is not able to disable these integrations, please restrict access, privileges, and harden accordingly.

Kubernetes Scheduler

Kubernetes Information Security Practices