Security of Kubernetes Cluster

Kubernetes Best Practices

Securing a Kubernetes cluster is crucial to ensure the confidentiality, integrity and availability of the applications and data running on the cluster. As a cloud platform provider, we take responsibility for managing the control plane components of the Kubernetes cluster, such as the API server, controller manager, and scheduler, according to best practices and industry standards. It is important to note that not every aspect of the Kubernetes components can be edited by the end user. For example, the underlying storage technology and encryption mechanisms are managed by us as the cloud platform provider.

On the workload cluster ("Shoot" cluster) the user has administrative cluster rights. To secure the "Shoot" cluster the following documents provide comprehensive guidance on best practices recommended to the user:

Kubernetes Best Practices: This document covers various aspects of securing a Kubernetes cluster, including the cluster's topology and network, and enforcing pod security standards.
Kubernetes Security Concepts: This document explains the security concepts and features provided by Kubernetes, such as secrets, workload protection, and Kubernetes audit logging.
Cilium Network Policy: This document provides an insight into the policy language used to configure the network policies in Cilium.

Following further references in our documentation may help to configure certain aspects of the cluster:

CIS Benchmark

One highly recommended resource is the official CIS (Center for Internet Security) Benchmark for Kubernetes. The CIS Benchmark provides a comprehensive set of guidelines to secure your Kubernetes environment effectively.

However, it's important to note that our services are managed, which significantly simplifies the security responsibilities for our users. Since the control plane operations are fully managed by OSC, users should focus on the parts of the CIS Benchmark that are relevant to the components they control.