11 – 1:40
cgroups
Linux Security Modules (LSM) – AppArmor and SELinux
Capabilities
Seccomp
Userns
Enable Docker Content Trust
sudo export DOCKER_CONTENT_TRUST=1
Set Resource Limits for Containers
–cpus=2
–memory=”1000M”
docker serach –filer “is-official=true” WordPress
snyk test –docker node:10 –file=path/to/dockerfile
snyk monitor –docker node:10
Static Code Analyzer – hadolint linter
kubectl get namespace
Implement Network Policies
The default network policy permits each pod to talk to all other pods. Therefore you must create a network policy to restrict the communication between pods.
To deny all ingress traffic by default (service/networking/network-policy-default-deny-ingress.yaml)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
– Ingress
Pod Security Policy (psp)
2:29 – encryption
kubectl get secrets –all-namespaces -o jason | kubectl replace -f –
take picture 38mins for cloud compare | Scout Suite – cloud auditing tool