What security best practices do you follow in regards to the Kubernetes cluster?

Difficulty: unrated

Source: bregman-arie/devops-exercises by Arie Bregman

Answer

Secure inter-service communication (one way is to use Istio to provide mutual TLS)
- Isolate different resources into separate namespaces based on some logical groups
- Use supported container runtime (if you use Docker then drop it because it's deprecated. You might want to CRI-O as an engine and podman for CLI)
- Test properly changes to the cluster (e.g. consider using Datree to prevent kubernetes misconfigurations)
- Limit who can do what (by using for example OPA gatekeeper) in the cluster
- Use NetworkPolicy to apply network security
- Consider using tools (e.g. Falco) for monitoring threats