12/20/2023 0 Comments Kubernetes cis benchmark![]() ![]() eksctl also has a mechanism for creating node groups with the latest AMI and for gracefully cordoning and draining pods from nodes groups before the instances are terminated. EKS managed node groups uses the first approach and will display a message in the console to upgrade your workers when a new AMI becomes available. Alternatively, you can add instances to a new node group while you sequentially cordon and drain nodes from the old node group until all of the nodes have been replaced. You can either add instances to an existing autoscaling group using the latest AMI as you sequentially cordon and drain nodes until all of the nodes in the group have been replaced with the latest AMI. Rather than performing in-place upgrades, replace your workers when a new patch or update becomes available. Treat your infrastructure as immutable and automate the replacement of your worker nodes ¶ Regardless of whether you use a container-optimized host OS like Bottlerocket or a larger, but still minimalist, Amazon Machine Image like the EKS optimized AMIs, it is best practice to keep these host OS images up to date with the latest security patches.įor the EKS optimized AMIs, regularly check the CHANGELOG and/or release notes channel and automate the rollout of updated worker node images into your cluster. This script can be further leveraged to build STIG compliant EKS custom AMIs. Please refer Amazon EKS AMI RHEL Build Specification for a sample configuration script which can be used for building a custom Amazon EKS AMI running on Red Hat Enterprise Linux using Hashicorp Packer. The EKS optimized AMI is released regularly and contains a minimal set of OS packages and binaries necessary to run your containerized workloads. It includes a reduced attack surface, a disk image that is verified on boot, and enforced permission boundaries using SELinux.Īlternately, use the EKS optimized AMI for your Kubernetes worker nodes. Recommendations ¶ Use an OS optimized for running containers ¶Ĭonsider using Flatcar Linux, Project Atomic, RancherOS, and Bottlerocket, a special purpose OS from AWS designed for running Linux containers. These guidelines should be used in conjunction with those outlined in the Runtime Security section. This section explores different ways to mitigate risks from attacks launched directly against the host. Inasmuch as it's important to secure your container images, it's equally important to safeguard the infrastructure that runs them. Monitoring for Network performance issues Run Amazon Inspector to assess hosts for exposure, vulnerabilities, and deviations from best practices Minimal IAM policy for SSM based SSH Access Periodically run kube-bench to verify compliance with CIS benchmarks for Kubernetes Treat your infrastructure as immutable and automate the replacement of your worker nodes Use an OS optimized for running containers ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |