Doc: Adding initial hardening guide #5881
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @timdeluxe! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @timdeluxe. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
@timdeluxe please check the CLA bot hint |
|
/check-cla |
I comitted with the wrong email adress (my fault). I hope my amend action helped... If not i might need to do another PR? |
Hm, looks like i need to redo the whole PR, because my amend action made a new commit and an old one with the wrong email is still included in the PR. Am i correct? I would work on the given feedbacks here and then push the changes to another PR and close this one here. Would that be the right way @aledbf ? |
|
@timdeluxe please squash the commits. I think that is enough. Or you can close this PR and create a new one with just one commit. Up to you :) |
timdeluxe
force-pushed
the
hardening-guide
branch
from
6cc45b0
to
b56258c
Compare
k8s-ci-robot
added
cncf-cla: yes
Squashing worked, thanks. Will work on the feedback in the next days... |
|
@timdeluxe friendly ping |
|
@aledbf Sorry, i was and am on vacation, will continue to work on this on monday. |
|
Please apologize that it took a biiit longer. I now updated all the points you thankfully gave feedback too. That also closes all open lines with question marks. |
timdeluxe
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/lgtm |
|
@timdeluxe thanks! |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, timdeluxe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What this PR does / why we need it:
ingress-nginx is hardened in several places by default, but it can be done even more secure. This hardening guide looks at best practises documents of CIS benchmarks and a cipherli.st fork and checks what needs to be done of if the ingress-nginx default is already sufficient.
Originally it was discussed here: nginxinc/kubernetes-ingress#887 and so i published it in our own repo, since i was recommended to do so in that issue.
However dodevops/k8s-ingress-nginx-hardening#1 gave me the hint, to add it to this community-driven project and hence this PR.
Types of changes
Which issue/s this PR fixes
How Has This Been Tested?
Tested with
make live-docs, but table is still to wide. However i don't know a better format, any recommendations?Checklist:
WIP remark:
I added the flag WIP since there are some points in the hardening guide, where i have no clue (marked with question marks, like "???"). I need help on those points.
Also as already mentioned above, the table format may be improved to something else, but i have no idea what. Any ideas?