It includes a reduced attack surface, a disk image that is verified on boot, and enforced permission boundaries using SELinux.Īlternately, use the EKS optimized AMI for your Kubernetes worker nodes. Recommendations ¶ Use an OS optimized for running containers ¶Ĭonsider using Flatcar Linux, Project Atomic, RancherOS, and Bottlerocket, a special purpose OS from AWS designed for running Linux containers. These guidelines should be used in conjunction with those outlined in the Runtime Security section. This section explores different ways to mitigate risks from attacks launched directly against the host. Inasmuch as it's important to secure your container images, it's equally important to safeguard the infrastructure that runs them. Run Amazon Inspector to assess hosts for exposure, vulnerabilities, and deviations from best practices Minimal IAM policy for SSM based SSH Access Periodically run kube-bench to verify compliance with CIS benchmarks for Kubernetes
Treat your infrastructure as immutable and automate the replacement of your worker nodes Use an OS optimized for running containers
0 kommentar(er)
