Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden EKS/GKE Clusters #5110

Open
Tracked by #6608
upodroid opened this issue Apr 7, 2023 · 6 comments
Open
Tracked by #6608

Harden EKS/GKE Clusters #5110

upodroid opened this issue Apr 7, 2023 · 6 comments
Labels
area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra/gcp Issues or PRs related to Kubernetes GCP infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.

Comments

@upodroid
Copy link
Member

upodroid commented Apr 7, 2023

Our build clusters run untrusted code and we should try to harden the cluster configuration and the pod configuration.

Kubernetes Best Practices:

  • Prow pods which run untrusted should only be ran in the test-pods namespace
  • hostNetwork should not be set to true for pods in the test-pods namespace
  • Pods should be run with privileged set to false unless required, such as DinD jobs.
  • Use the relevant cross-cloud workload identity tooling to access resources in a different cloud provider. We have workloads on AWS and GCP that access resources on a different cloud provider securely.

GKE Best Practices:

EKS Best Practices:
@upodroid upodroid added the sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. label Apr 7, 2023
@upodroid
Copy link
Member Author

upodroid commented Apr 7, 2023

/area infra
/area infra/aws
/area infra/gcp
/priority important-soon

@k8s-ci-robot k8s-ci-robot added area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra/gcp Issues or PRs related to Kubernetes GCP infrastructure priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Apr 7, 2023
@xmudrii
Copy link
Member

xmudrii commented Apr 24, 2023
edited

EKS-related IAM improvements are tracked as part of #5160

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 19, 2024
@xmudrii
Copy link
Member

xmudrii commented Jan 19, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 19, 2024
@upodroid upodroid mentioned this issue Mar 21, 2024
Open
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 18, 2024
@xmudrii
Copy link
Member

xmudrii commented Apr 18, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra/gcp Issues or PRs related to Kubernetes GCP infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xmudrii @k8s-ci-robot @upodroid @k8s-triage-robot