public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-05 20:53:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

#420 Canonical links for Rancher-security (#895)

Browse Source 
* canonicized k3s-self-assessment-guide

* canonicized rke1-hardening-guide

* canonicized rke2-self-assessment-guide

* canonicized selinux-rpm

* canonicized rancher-security
This commit is contained in:
Marty Hernandez Avedon
2023-10-02 10:47:31 -04:00
committed by GitHub
parent a1178a1485
commit cead220aaf
37 changed files with 148 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
versioned_docs/version-2.6/reference-guides/rancher-security/kubernetes-security-best-practices.md
+4
View File
@@ -2,6 +2,10 @@
title: Kubernetes Security Best Practices
---
<head>
<link rel="canonical" href="https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/kubernetes-security-best-practices"/>
</head>
### Restricting cloud metadata API access
Cloud providers such as AWS, Azure, DigitalOcean or GCP often expose metadata services locally to instances. By default, this endpoint is accessible by pods running on a cloud instance, including pods in hosted Kubernetes providers such as EKS, AKS, DigitalOcean Kubernetes or GKE, and can contain cloud credentials for that node, provisioning data such as kubelet credentials, or other sensitive data. To mitigate this risk when running on a cloud platform, follow the [Kubernetes security recommendations](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restricting-cloud-metadata-api-access): limit permissions given to instance credentials, use network policies to restrict pod access to the metadata API, and avoid using provisioning data to deliver secrets.