All configurations must be secure by default. Insecure defaults should not be used even for testing.
- Use
insert_key = true(Vagrant default) - Insecure key is only for initial access
- Automatically replaced with secure key on VM creation
- Use private network when possible
- Restrict access with firewall when using public network
- Expose only necessary ports
config.vm.network "private_network", ip: "192.168.56.10"- Disable if not needed (attack vector to host)
config.vm.synced_folder ".", "/vagrant", disabled: true- Never hardcode secrets in Vagrantfile
- Use environment variables or encrypted files
- Add sensitive files to .gitignore
apiServer:
extraArgs:
anonymous-auth: "false"
audit-log-path: "/var/log/kubernetes/audit.log"metadata:
labels:
pod-security.kubernetes.io/enforce: restrictedapiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes: [Ingress, Egress]Applied in dasomel/ubuntu-24.04 Box:
| Setting | Value | Purpose |
|---|---|---|
| net.ipv4.conf.all.rp_filter | 1 | IP Spoofing prevention |
| net.ipv4.conf.all.accept_redirects | 0 | ICMP Redirect block |
| net.ipv4.tcp_syncookies | 1 | SYN Flood prevention |
| net.ipv4.icmp_echo_ignore_broadcasts | 1 | Smurf attack prevention |
PermitRootLogin no
PasswordAuthentication no # Production
PubkeyAuthentication yes
MaxAuthTries 3
| Item | Production | Local Dev |
|---|---|---|
| PasswordAuthentication | no | yes |
| metrics-server TLS | strict | insecure |
| NetworkPolicy | required | optional |
- No hardcoded secrets in Vagrantfile
- Sensitive files in .gitignore
- Latest Base Box version
- All nodes Ready
- System pods running
- SSH key replaced
- RBAC policies reviewed
- NetworkPolicy applied
- Pod Security Standards applied
- Audit logging enabled