This document is designed to list potential attack vectors and solutions to them.

• Kernel exploits
• Denial-of-service attacks
• Container Breakouts
• Poisoned Images
• Compromising Secrets

• Minimize the attack surface
• Apply the principle of least privilege
• Segregation
• Don’t forget security in DevOps
• Always trust your sources

• Kube-Bench - Uses CIS Benchmark to evaluate your cluster
• Stay up-to-date
• OS + Framework Patching

• Content Trust : Ensure the integrity of images throughout the life cycle / images haven't been tampered with
• Container Image Scanning : Scan all files in container image for vulnerabilities
  • AquaSec
  • Twistlock
• Image Availability : Do you care if images are publicly available?
• Open Policy Agent : Only allow pulling from specific container registries

• Enforce least privileges in runtime
  • AppArmor + seccomp
  • Avoid running container as Root or with Privileges
• Whitelist files and executables allowed to access or run

• AKS + Kured: Add security patches to Host VM

• Log all container administrative user access for auditing
• Monitor container activity and user access
• Monitor container resource activity

• Network Policy Enforcement: Enforce network segmentation on running containers
• Azure Firewall: Limit egress traffic from cluster

• Manage access to the cluster
  • Kubernernetes RBAC
• Manage access within the cluster
  • Enable Azure AD for RBAC
  • Harden the Dashboard

• Azure KeyVault for Secret Management
  • BETA: Azure KeyVault Plugin for K8S

• Web Application Firewall : L7 Protection from cross-site scripting (XSS) attacks, SQL injection attacks, session hijacking and buffer overflows

• Securing Kubernetes
• Container Security in MS
• AKS Container Security