Kubernetes Scoping
How many k8s clusters are in scope of the demand?
What version of Kubernetes is in use within the cluster?
Is the version of Kubernetes you’re using managed (e.g. by a cloud provider GKE, EKS etc) or self-hosted (e.g. kops, kubeadm)?
What namespaces are to be reviewed within the cluster(s)?
How many nodes are in use across the cluster(s)?
How many K8s services are deployed within the cluster(s)?
Please provide a brief description of what these services do.
Is the deployment hosted on-premises or in the cloud?
If cloud-based, is the cluster using a managed service (e.g. Azure AKS, Amazon EKS, Google Kubernetes Engine)?
Is the cluster intended to be multi-tenanted? If so is this soft multitenancy (e.g. the tenants are relatively trusted) or hard multitenancy (e.g. the tenants may not be trusted by each other)?
What Container Runtime(s) are in-use in the cluster (e.g. Docker, CRI-O, GVisor)?
What authentication methods is/are in use?
e.g. Certificate authentication, OIDC, Token authentication
If OIDC authentication is in use, what 3rd party software is used to facilitate this? (e.g. Dex, Keycloak, Cloud based authentication) and are these solutions in-scope of the review?
Authorization - How many roles/cluster roles are defined in the cluster?
How do administrators connect to your cluster?
e.g. direct access to Kubernetes API, SSH Bastion host, VPN
How do developers deploy applications in the cluster? e.g. directly using Kubernetes manifest, indirectly via CI/CD, using Helm charts
Are any third party RBAC technologies in use?
ow do users connect to cluster services?
e.g. Publicly available web applications
Will privileged (e.g. Cluster Admin) access be available to tester during the review?
Will tester be able to run custom containers from public sources such as the Docker Hub?
If a managed Kubernetes service is in use will we be able to get access to the cloud console to review controls there?
What supporting software is in use inside the cluster? e.g. Helm/Tiller, Prometheus, Jaeger
Are there any Service mesh technologies in use within the cluster, which should be considered in-scope of the review (e.g. istio, Linkerd)
Are any Pod Security Policies (PSPs) defined within the cluster? If so, how many?
What CNI plugin(s) are in use within the cluster (e.g Cilium, Calico, Weave)
Are any Network Policies defined within the cluster? If so, how many?
How are secrets managed within the cluster? Is external secret manager used?( e.g. Vault, AWS secret Manager, etc)
Is any persistent storage associated with the cluster? e.g. Cloud storage, Databases
Should any additional ancillary systems be included in this review?
Are there any Custom Resource Definitions used in the cluster(s)? If so, how many and (at a high level) what are their functions?
Container Review
Is a review of any specific container images in scope for this review? If so, please list them here.
Can the images be downloaded from a centralized location? e.g. Docker hub, artifactory
Can Dockerfiles be made available to tester?
Last updated