Security Self-Assessment: [STRIDE-MULTIPLE] End-User Cluster API Security Guidance

[randomvariable]

User Story

As a cluster operator, I want to know how to use Cluster API securely.

Detailed Description

Follow up to #4139, security guidance should be given for end users

Covers the following in the security self-assessment:

• Second pair of eyes are applied when executing privileged actions such as creating/deleting/updating a cluster (possibly using gitops)
• Enabling auditing on the management cluster (STRIDE-SPOOF-1)
• Using least permissions for infrastructure providers. (STRIDE-SPOOF-1)
• Files system monitoring (STRIDE-TAMPER-2)
• During runtime: Alert on modification or restarts of cluster API components to detect for potential tampering (STRIDE-TAMPER-1)

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

/kind feature
/area security

[fabriziopandini]

/kind cleanup
/remove-kind feature

FYI there is a new set of tooling around owner files being used in the ecosystem, including also periodic checks on maintainers not active anymore. We should leverage on the same tooling
@dims ^^

[sbueringer]

/milestone v1.2

[PushkarJ]

/retitle Security Self-Assessment: [STRIDE-MULTIPLE] End-User Cluster API Security Guidance
/sig security

[PushkarJ]

/assign pushkarj

(Planning on writing this up in next few weeks)

[fabriziopandini]

/triage accepted
/remove-kind cleanup
/kind documentation

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[fabriziopandini]

/lifecycle frozen

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[fabriziopandini]

/priority backlog

[fabriziopandini]

What we need is a new page in the book under security with the list of Recommended Mitigations from the description above. I would also add

From: #6518

• Implement safe defaults (soft and hard) on how many CRD objects a Cluster API
  component can create, especially in a management cluster
• Implement threshold based alerts when a particular soft limit is exceeded for number of CRD

From #6517

• Create safe defaults (soft and hard) for the maximum number of nodes that can be created using a management cluster
• Implement threshold based alerts when a particular soft limit is exceeded for number of nodes

#6516

• Create safe defaults (soft and hard) for the maximum number of clusters that can be created using a management cluster
• Implement threshold based alerts when a particular soft limit is exceeded for number of clusters

From #6515

• Create safe defaults (soft and hard) for the maximum number of cloud resources that can be created.
• Implement threshold based alerts when a particular soft limit is exceeded

/remove-help
/good-first issue

[fabriziopandini]

/triage accepted