Home Explore Blog CI



kubernetes
5th chunk of `content/en/docs/tasks/administer-cluster/securing-a-cluster.md`
31608062602b4fdc3e952be5150b8af96cea831bd45857950000000100000832
access to a subset of the keyspace is strongly recommended.
{{< /caution >}}

### Enable audit logging

The [audit logger](/docs/tasks/debug/debug-cluster/audit/) is a beta feature that records actions taken by the
API for later analysis in the event of a compromise. It is recommended to enable audit logging
and archive the audit file on a secure server.

### Restrict access to alpha or beta features

Alpha and beta Kubernetes features are in active development and may have limitations or bugs
that result in security vulnerabilities. Always assess the value an alpha or beta feature may
provide against the possible risk to your security posture. When in doubt, disable features you
do not use.

### Rotate infrastructure credentials frequently

The shorter the lifetime of a secret or credential the harder it is for an attacker to make
use of that credential. Set short lifetimes on certificates and automate their rotation. Use
an authentication provider that can control how long issued tokens are available and use short
lifetimes where possible. If you use service-account tokens in external integrations, plan to
rotate those tokens frequently. For example, once the bootstrap phase is complete, a bootstrap
token used for setting up nodes should be revoked or its authorization removed.

### Review third party integrations before enabling them

Many third party integrations to Kubernetes may alter the security profile of your cluster. When
enabling an integration, always review the permissions that an extension requests before granting
it access. For example, many security integrations may request access to view all secrets on
your cluster which is effectively making that component a cluster admin. When in doubt,
restrict the integration to functioning in a single namespace if possible.

Components that create pods may also be unexpectedly powerful if they can do so inside namespaces
like the `kube-system` namespace, because those pods can gain access to service account secrets
or run with elevated permissions if those service accounts are granted access to permissive
Title: Kubernetes Security Best Practices: Audit Logging, Feature Restriction, Credential Rotation, and Third-Party Integration Review
Summary
This section details Kubernetes security best practices including enabling audit logging, restricting access to alpha/beta features due to potential vulnerabilities, rotating infrastructure credentials to limit their exposure, and thoroughly reviewing third-party integrations before enabling them, focusing on the permissions they request and the namespaces they operate in.