Kubernetes is an open-source software for automating management of computerized services. Organizations, such as IBM, Capital One and Adidas use Kubernetes to deploy and manage their containers, and have reported benefits related to deployment frequency. Despite reported benefits, Kubernetes deployments are susceptible to security vulnerabilities, such as those that occurred at Tesla in 2018. A systematization of Kubernetes security practices can help practitioners mitigate vulnerabilities in their Kubernetes deployments. The goal of this paper is to help practitioners in securing their Kubernetes installations through a systematization of knowledge related to Kubernetes security practices. We systematize knowledge by applying qualitative analysis on 104 Internet artifacts. We identify 11 security practices that include (i) implementation of role-based access control (RBAC) authorization to provide least privilege, (ii) applying security patches to keep Kubernetes updated, and (iii) implementing pod and network specific security policies.

中文翻译：

---

十一 Kubernetes 安全戒律：Kubernetes 安全实践相关知识的系统化

Kubernetes 是一种开源软件，用于自动管理计算机化服务。IBM、Capital One 和 Adidas 等组织使用 Kubernetes 来部署和管理他们的容器，并报告了与部署频率相关的好处。尽管报告了一些好处，但 Kubernetes 部署容易受到安全漏洞的影响，例如 2018 年在特斯拉发生的安全漏洞。 Kubernetes 安全实践的系统化可以帮助从业者减轻其 Kubernetes 部署中的漏洞。本文的目标是通过系统化与 Kubernetes 安全实践相关的知识，帮助从业者保护他们的 Kubernetes 安装。我们通过对 104 个互联网工件进行定性分析来系统化知识。