generated from kubernetes/kubernetes-template-project
-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
7 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -864,7 +864,7 @@ exfiltrated to spoof Cluster API components or launch a denial of service attack | |
| #### STRIDE-INFODISCLOSE-4 Recommended Mitigations | ||
|
|
||
| * Use short-lived credentials that are auto-renewed using node level attestation | ||
| * Status: implemented / planned / to be implemented / End User Guidance | ||
| * Status: [Cloud Provider guidance to be written](#cluster-api-cloud-provider-guide) | ||
| * Disable or restrict SSH access to nodes in a cluster | ||
| * Status: [End user guidance to be written](#cluster-api-end-user-guide) | ||
| * Implement cluster level Pod Security to prevent host mount access to pod | ||
|
|
@@ -946,7 +946,7 @@ resources being added to one or more clusters. | |
| * Status: [planned](https://github.com/kubernetes-sigs/cluster-api/issues/6518) | ||
| * Safe defaults on number of cluster and nodes will also have side effect of | ||
| preventing this threat | ||
| * Status: implemented / planned / to be implemented / End User Guidance | ||
| * Status: planned | ||
|
|
||
| #### STRIDE-DOS-5 - Deleting ELB instance for API server of workload cluster to disconnect management cluster from workload cluster(s) | ||
|
|
||
|
|
@@ -972,7 +972,7 @@ bills or traffic congestion on cloud API pathways | |
| #### STRIDE-DOS-6 Recommended Mitigations | ||
|
|
||
| * Implement rate limits for creation, deletion and update of cloud resources | ||
| * Status: implemented / planned / to be implemented / End User Guidance | ||
| * Status: [Cloud Provider guidance to be written](#cluster-api-cloud-provider-guide) | ||
| * Apply second pair of eyes whenever possible for such activity | ||
| * Status: [End user guidance to be written](#cluster-api-end-user-guide) | ||
| * Apply alerting on all cloud resource creation, update, deletion activities | ||
|
|
@@ -1031,7 +1031,7 @@ by attacker for their own gain | |
| * Any cloud resource not linked to a cluster after a fixed configurable period | ||
| of time created by these cloud credentials, should be auto-deleted or marked | ||
| for garbage collection | ||
| * Status: implemented / planned / to be implemented / End User Guidance | ||
| * Status: [Cloud Provider guidance to be written](#cluster-api-cloud-provider-guide) | ||
|
|
||
| ### Security issue resolution | ||
|
|
||
|
|
@@ -1079,4 +1079,6 @@ by attacker for their own gain | |
|
|
||
| ##### [[email protected]](mailto:[email protected]) | ||
|
|
||
| ##### [cluster-api-end-user-guide](https://github.com/kubernetes-sigs/cluster-api/issues/6152) | ||
| ##### [cluster-api-end-user-guide](https://github.com/kubernetes-sigs/cluster-api/issues/6152) | ||
|
|
||
| ##### [cluster-api-cloud-provider-guide](https://github.com/kubernetes-sigs/cluster-api/issues/6519) | ||