Defense & Hardening in EKS

Effective defense and hardening in Amazon EKS involve securing workloads, enforcing compliance, and detecting runtime threats. Below are key focus areas:

Pod and Container Security Context

• Use Kubernetes security contexts to define permissions and constraints at the pod/container level.
• Enforce practices like:
  • Running containers as non-root users.
  • Setting file system as read-only.
  • Restricting privileged escalation.

Policy Enforcement with Kyverno and CEL

• Kyverno: A Kubernetes-native policy engine to validate, mutate, and enforce best practices.
• CEL (Common Expression Language): Lightweight expressions for custom rules in admission controllers.
• Define policies for image scanning, resource limits, and namespace isolation.

Threat Detection with AWS GuardDuty

• A managed threat detection service integrating with EKS.
• Detects anomalies, such as suspicious API calls, unauthorized access, and malicious behavior in the control plane and nodes.

Runtime Security with eBPF and Tetragon

• Use eBPF (Extended Berkeley Packet Filter) for real-time observability and security at the kernel level.
• Tetragon: Monitors process execution, network activity, and policy violations in runtime environments without significant overhead.