Workload Hardening Service Account tokenProtect access to k8s service account token FIMFile Integrity Monitoring Packaging toolsDeny execution of package management tools Trusted certs bundleProtect write access to the trusted root certificates bundle Database accessProtect read/write access to raw database tables from unknown processes. Config dataProtect access to configuration data containing plain text credentials. File CopyPrevent file copy using standard utilities. Network AccessPrevent network access to any processes or selectively enable network access to specific processes. /tmp/ noexecDo not allow execution of binaries from /tmp/ folder. Admin toolsDo not allow execution of administrative/maintenance tools inside the pods. Discovery toolsDo not allow discovery/search of tools/configuration. Logs deleteDo not allow external tooling to delete logs/traces of critical components. ICMP controlDo not allow scanning tools to use ICMP for scanning the network. Restrict CapabilitiesDo not allow capabilities that can be leveraged by the attacker. Was this page helpful? Thanks for your feedback! Thanks for your feedback! Help us improve this page by using our feedback form.
