Table of Contents
Introduction
...
Additional Testing
Bottlenecks/Errata
Applied Fixes
Kube-Hunter
KHV002
https://aquasecurity.github.io/kube-hunter/kb/KHV002.html
Solution:
Change the default ClusterRole system:public-info-viewer
kubectl replace -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:public-info-viewer rules: - nonResourceURLs: # /version has been removed - /healthz - /livez - /readyz verbs: - get EOF
CAP_NET_RAW
Solution:
Use PodSecurityPolicy
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Steps:
- Create a