Risk analysis and security compliance in Kube-prometheus

The Initial Scanning

Passed tests

Partial or completely failed tests

Allow privilege escalation

Automatic mapping of service account

  • Prometheus-Adapter — Talks with API server to collect info from nodes, pods and the metrics.k8s.io API
  • Prometheus-Operator, Kube-state-metrics and Blackbox-exporter — Not because of what those components do, but because of the kube-rbac-proxy sidecar that runs alongside those 3 components. Kube-rbac-proxy is added to mitigate another security risk.

Container hostPort

Host PID/IPC privileges

HostNetwork access

Immutable container filesystem

Ingress and Egress blocked

Linux hardening

apiVersion: v1 
kind: Pod
metadata:
name: security-context-demo
spec:
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
seccompProfile:
type: RuntimeDefault # Set a default seccomp profile
  • Node-exporter — May require CAP_SYS_TIME if timex collector is enabled.
  • Blackbox-exporter — Requires NET_RAW if doing ICMP probes.

Caveats

  • Users can mount an extra persistentVolume to the queryLog path, which means we don’t want to create an extra volume for it.
  • Users can set the queryLog path to /dev/stdout, which will make the logs available to the container’s stdout. Another possibility where we don’t want an extra volume.

Open source and observability enthusiat :)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

3 tips for passing the GCP Associate Cloud Engineer exam

Hacker Rank-An alternative solution to Grade Students

Troubleshooting an offline website step by step in Cloud ?

How to handle unknowns and make assumptions when designing a cloud database

How to scale PostgreSQL 10 using table inheritance and declarative partitioning

Bscgas shutting down

Can a Non-IT person learn web page design in just 3 days ?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arthur Silva Sens

Arthur Silva Sens

Open source and observability enthusiat :)

More from Medium

Request & Limits recommendations using VPA, Goldilocks and Grafana

Four Pillars of Kubernetes Fleet Management

Managing Network Security Lifecycles in Multi Cluster OpenShift Environments with OpenShift…

Argo CD Basics— CNCF Roadmap