Skip to content

Endpoint Security Container

11 – 1:40

cgroups

Linux Security Modules (LSM) – AppArmor and SELinux

Capabilities

Seccomp

Userns

Enable Docker Content Trust

sudo export DOCKER_CONTENT_TRUST=1

Set Resource Limits for Containers

–cpus=2

–memory=”1000M”

docker serach –filer “is-official=true” WordPress

snyk test –docker node:10 –file=path/to/dockerfile

snyk monitor –docker node:10

Static Code Analyzer – hadolint linter

kubectl get namespace

Implement Network Policies

The default network policy permits each pod to talk to all other pods. Therefore you must create a network policy to restrict the communication between pods.

To deny all ingress traffic by default (service/networking/network-policy-default-deny-ingress.yaml)

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

name: default-deny-ingress

spec:

podSelector: {}

policyTypes:

– Ingress

Pod Security Policy (psp)

2:29 – encryption

kubectl get secrets –all-namespaces -o jason | kubectl replace -f –

take picture 38mins for cloud compare | Scout Suite – cloud auditing tool