Security #

More Info : https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview

Authentication and authorization #

• User accounts
• Service accounts

Secure masters #

By default, the master components use a public IP address. You can protect the Kubernetes API server by using ‘master authorized networks’, and ‘private clusters’, which allow you to assign a private IP address to the master and disable access on the public IP address.

For enhanced authentication security, you should ensure that you have disabled Basic Authentication by setting an empty username and password for the MasterAuth configuration. In the same configuration, you can also disable the client certificate which ensures that you have one less key to think about when locking down access to your cluster.

Do credential rotation on a regular basis.When credential rotation is initiated, the SSL certificates and cluster certificate authority are rotated. This process is automated by Google Kubernetes Engine and also ensures that your master IP address rotates.

Node Security #

• Container-Optimized OS
• Automatic node upgrade
• Securing instance metadata

Network Security #

• Limiting Pod-to-Pod communication
• Cluster Network Policy ( https://kubernetes.io/docs/concepts/services-networking/network-policies/ )