![]() Rather than performing in-place upgrades, replace your workers when a new patch or update becomes available. Treat your infrastructure as immutable and automate the replacement of your worker nodes ¶ Regardless of whether you use a container-optimized host OS like Bottlerocket or a larger, but still minimalist, Amazon Machine Image like the EKS optimized AMIs, it is best practice to keep these host OS images up to date with the latest security patches.įor the EKS optimized AMIs, regularly check the CHANGELOG and/or release notes channel and automate the rollout of updated worker node images into your cluster. The EKS optimized AMI is released regularly and contains a minimal set of OS packages and binaries necessary to run your containerized workloads. It includes a reduced attack surface, a disk image that is verified on boot, and enforced permission boundaries using SELinux.Īlternately, use the EKS optimized AMI for your Kubernetes worker nodes. ![]() Recommendations ¶ Use an OS optimized for running containers ¶Ĭonsider using Flatcar Linux, Project Atomic, RancherOS, and Bottlerocket, a special purpose OS from AWS designed for running Linux containers. These guidelines should be used in conjunction with those outlined in the Runtime Security section. This section explores different ways to mitigate risks from attacks launched directly against the host. ![]() Inasmuch as it's important to secure your container images, it's equally important to safeguard the infrastructure that runs them. Monitoring for Network performance issues Run Amazon Inspector to assess hosts for exposure, vulnerabilities, and deviations from best practices Minimal IAM policy for SSM based SSH Access Periodically run kube-bench to verify compliance with CIS benchmarks for Kubernetes Treat your infrastructure as immutable and automate the replacement of your worker nodes Use an OS optimized for running containers
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |