29. Day 29 - Kubernetes Hardening Guide by NSA & CISA And Golang

# Day 29 -- Kubernetes Hardening Guide by NSA & CISA And Golang
### Pod Security: Harden Pods to make exploitation more difficult & Limit the impact of succesful compromise
#### Non-root containers
#### Image Scanning
#### Immutable Container file systems

### Network Saperation & Hardening

#### Focus on communication between Containers, Pods, Services & External Services
#### Use TLS for external Services

#### Namespaces assign label to a scope that could be used to specify rules via RBAC & networking policies.

### Network Policies Checklist
* Use CNI plugin that supports Network Policy API
* Create Policies that selects Pods using podSelector and/or namespaceSelector
* Use default policy to deny all ingress & engress traffic

### Control Plane Hardening
* Set up TLS encryption
* Set up strong authentication methods
* Disable access to internet and unnecessary, or untrusted networks
* Use RBAC policies to restrict access
* Secure the etcd datastore with authentication and RBAC policies
* Protect kubeconfig files from unauthorized modifications

### Logging 
#### Logging should be performed at all levels of the environment, including on the host, application, container, container engine, image registry, api-server, and the cloud, as applicable.

### Within the Kubernetes environment, some events that administrators should monitor/log include the following:
* API request history
* Performance metrics
* Deployments
* Resource consumption
* Operating system calls
* Protocols, permission changes
* Network traffic
* Pod scaling
* Volume mount actions
* Image and container modification
* Privilege changes
* Scheduled job (cronjob) creations and modifications