├── LICENSE
├── README.md
├── _config.yml
└── img
    ├── 4c-cloud-native.png
    ├── container-signing.png
    ├── infra-k8s-security.png
    └── network-k8s.png


/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Kubernetes Security Checklist
  2 | 
  3 | ![4c-cloud](./img/4c-cloud-native.png)
  4 | 
  5 | ## Table of Contents
  6 |   - [Kubernetes Infrastructure](#kubernetes-infrastructure)
  7 |   - [Kubernetes Security Features](#kubernetes-security-features)
  8 |   - [Kubernetes Authorization - RBAC](#kubernetes-authorization---rbac)
  9 |   - [Kubernetes Pod Security](#kubernetes-pod-security)
 10 |   - [Kubernetes Secrets](#kubernetes-secrets)
 11 |   - [Kubernetes Networking](#kubernetes-network-security)
 12 |   - [Kubernetes Supply Chain Security](#kubernetes-supply-chain-security)
 13 |   - [Common attacks](#common-attacks)
 14 |   - [Kubernetes Security Tools](#kubernetes-security-tools)
 15 |   - [Kubernetes Security Guides](#kubernetes-security-guides)
 16 |   - [Further reading](#further-reading)
 17 |   - [Collaborate](#collaborate)
 18 | 
 19 | ---
 20 | 
 21 | ## Kubernetes Infrastructure
 22 | 
 23 | ![infra-k8s](./img/infra-k8s-security.png)
 24 | 
 25 | - ✅ Limiting access to the Kubernetes API server except from trusted networks.
 26 |   - Limit access to Network API Server (Control plane)
 27 |   - Limit access to Network Nodes
 28 |   > Ports and Protocols - [kubernetes official doc](https://kubernetes.io/docs/reference/ports-and-protocols/)
 29 | 
 30 | - ✅ Limiting access to Kubernetes Cloud Provider API. Apply the least privilege in the Authorization IAM.
 31 | - ✅ Limiting access to etcd
 32 |   - Apply etcd Encryption
 33 |   - Use TLS communication
 34 |   - is ETCD access limited to control plane?
 35 | - ✅ Apply host security benchmark: OpenSCAP, OVAL. Validate if your hosts are following the CIS benchmark. `Compliance`
 36 | - ✅ Updates and patches
 37 |   - Update the kubernetes version with the fixed bugs
 38 | - ✅ Certs: SSL/TLS for your Kubernetes Cluster
 39 |   - Automated issuance and renewal of certificates to secure Ingress with TLS
 40 |   - Secure pod-to pod communication with mTLS using private PKI Issuers
 41 |   - Supports certificate use cases for web facing and internal workloads
 42 | 
 43 |   > [cert-manager](https://cert-manager.io/) is a X.509 certificate controller for Kubernetes and OpenShift workloads.
 44 | 
 45 |   > Manage TLS Certificates in a Cluster - [Kubernetes official doc](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/)
 46 | 
 47 | ## Kubernetes Security Features
 48 | 
 49 | - ✅ Authorization: RBAC
 50 | - ✅ Authentication: SSO
 51 | - ✅ Secrets management
 52 | - ✅ Pod Security policy
 53 | - ✅ Network policy
 54 | - ✅ Observability: Auditing API server
 55 | 
 56 | ## Kubernetes Authorization - RBAC
 57 | 
 58 | - ✅ Role-based Access Control - RBAC
 59 |   - *Follow the principle of least privilege*
 60 |   - Workload identity in Cloud providers: Employ workload identity to tie RBAC to the cloud provider’s authentication mechanism.
 61 |   - Avoid admin-level access in the cluster
 62 |       - [AquaSecurity/kubectl-who-can](https://github.com/aquasecurity/kubectl-who-can). Show who has RBAC permissions to perform actions on different resources in Kubernetes.
 63 |       - [FairwindsOps/rbac-manager](https://github.com/FairwindsOps/rbac-manager). This is an operator that supports declarative configuration for RBAC with new custom resources.
 64 | 
 65 | - [Kubernetes RBAC: Asking for Forgiveness or Getting Permission](https://blog.aquasec.com/kubernetes-rbac)
 66 | - [Privilege Escalation from Node/Proxy Rights in Kubernetes RBAC](https://blog.aquasec.com/privilege-escalation-kubernetes-rbac)
 67 | - [Kubernetes RBAC: How to Avoid Privilege Escalation via Certificate Signing](https://blog.aquasec.com/kubernetes-rbac-privilige-escalation)
 68 | 
 69 | ## Kubernetes Pod Security
 70 | - ✅ [Pod security standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/): Restricted, Baseline and Privileged.
 71 | - ✅ Configure a [Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for a pod or container.
 72 | - ✅ Container runtime with stronger isolation
 73 | 
 74 | ## Kubernetes Secrets
 75 | 
 76 | - ✅ Encrypt all your secrets
 77 |     - Mozilla's SOPS
 78 |     - Key Management stores in the Cloud Providers
 79 | 
 80 | ## Kubernetes Network Security
 81 | 
 82 | when’s the last time anyone discovered a sophisticated attack from a
 83 | packet capture (PCAP) in Kubernetes?
 84 | 
 85 | ![network-k8s](./img/network-k8s.png)
 86 | >> [Image by Security Observability with eBPF](https://isovalent.com/data/isovalent_security_observability.pdf)
 87 | 
 88 | - ✅  Network Policy
 89 |   - Use nano segmentation
 90 |   - Use network policy: manage cluster ingress and egress
 91 | 
 92 | ## Kubernetes Supply Chain Security
 93 | - ✅ Enforce image trust with Image signing
 94 |   - Image signing: Container Signing, Verification and Storage in an OCI registry.
 95 |   - [Cosign vs Notary by Rewanth](cosign-with-kubernetes-ensure-integrity-of-images-before-deployment)
 96 | - ✅ Enabled Kubernetes [Admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) to verify the image integrity.
 97 | - ✅ SCA, SBOM
 98 | 
 99 | ![container-signing](./img/container-signing.png)
100 | 
101 | ## Kubernetes Thread Matrix
102 | 
103 | - [Microsoft Threat Matrix](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/)
104 | 
105 | ## Common Attacks
106 | 
107 | - Abuse credentials: RBAC, service accounts system:masters
108 | - Poisoned Images / Malicious Images in the registry
109 |   - Supply chain mitigation: Secure Ci/CD env, Image assurance, Image signing
110 | - Privileged Escalation – Breaking out of the Container: Excessive capabiiities such as CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SYS_PTRACE
111 |   - Escape to Host- Kubernetes Privilege Pod application
112 |     - writable hostPath mount: Avoid with misconfigurations k8s tools
113 |     - [CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit](https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/)
114 | 
115 | - Backdoor container - Persistence: capture the contents of the service account token mounted in the container
116 |   - [Doki Malware](https://attack.mitre.org/software/S0600/)
117 |   - Used secret management for your application data.
118 | - Cryptominers
119 |   - [Kinsing Malware](https://attack.mitre.org/software/S0599/)
120 | - Laterally moving within the cluster, Network scanning: Avoid with network policy or network segmentation.
121 | - Misconfigured Kubelet API: Avoid with Kubernetes hardening tools.
122 |   - Set to false the `--anonymous-auth` flag in the kubelet component.
123 |   - [Hildegard Malware](https://attack.mitre.org/software/S0601/)
124 | - Application exploit (RCE, SSRF, XXE, etc.)
125 | - Reverse Shell: Remote code execution (RCE) that opens a reverse shell connection to a suspicious domain that the attacker is listening. 
126 |   >> The workload wasn’t restricted by the container runtime and has overly permissive Linux capabilities that
127 | enables the attacker to mount in the /etc/kubernetes/manifests directory from the host into the container.
128 |   >> The attacker then drops a privileged pod manifest in kubelet’s manifest directory. The attacker now has a high-availability, kubelet-managed backdoor into the cluster that supersedes any IAM (identity and access management) or RBAC policies.
129 | - Fileless attacks in containers
130 |   - [Using memfd_create syscall](https://youtu.be/dizRKAjuhS0)
131 | - SSRF attacks to the Kubernetes API server
132 | 
133 | - Denial of Service (DoS) or a Distributed Denial of Service (DDoS): Avoid with misconfigurations k8s tools
134 |   - ✅ Limit the resources (CPU, memory) in the pods
135 |     - [Goldilocks](https://github.com/FairwindsOps/goldilocks) - identify a starting point for resource requests and limits.
136 |   - ✅ Limit the resources (CPU, memory) using Quotes by namespace/cluster.
137 |   - ✅ Set limits about traffic in the ingress policy. You can set limits on the number of concurrent connections, the number of requests per second, minute, or hour; the size of request bodies.
138 | - Fork bomb: Avoid with misconfigurations k8s toolss
139 | 
140 | ## Policy as a code
141 | OPA allows users to set policies across infrastructure and applications.
142 | 
143 | - Standard policies.
144 | - Organization-specific policies
145 | - Environment-specific policies
146 | 
147 | Some controls examples:
148 | • Which registries images can be downloaded from
149 | • Which OS capabilities a container can execute with
150 | • Which namespaces are allowed to run sensitive workloads
151 | • Labels that must be specified for certain resources
152 | • Disallowing deprecated or dangerous resource types
153 | • Enforcing naming schemes or internal standards
154 | 
155 | ### Integrates shift-left Kubernetes Security
156 | Run security validation checks in your CI/CD pipeline. Check the manifest written in in Yaml, Terraform, etc
157 | 
158 | - [x] IaC and automation reduce human error by creating predictable results
159 | 
160 | ## Kubernetes Reliability Best Practices
161 | - Simplicity vs Complexity
162 |   - Service delivery vs traffic routing. Manually maintained DNS entries, Service delivery is required because your application is scaling in and out, and changes are happening at a fast rate.
163 |   - Configuration management tools: Puppet, Ansible, Terraform
164 |   - Application configuration: ConfigMaps or Secrets
165 | - High-availability (HA) architecture / fault tolerance
166 | - Resource limits and auto-scaling. *set limits on what a pod can consume to increase reliability. This avoids the noisy neighbor problem*
167 | - Liveness and readiness probes. *configure liveness probes and readiness probes to provide your cluster with the ability to self-heal*
168 | 
169 | ### Key Monitoring Alerts
170 | - Kubernetes deployment with no replicas
171 | - Horizontal Pod Autoscaler (HPA) scaling issues
172 | - Host disk usage
173 | - High IO wait times
174 | - Increased network errors
175 | - Increase in pods crashed
176 | - Unhealthy Kubelets
177 | - nginx config reload failures
178 | - Nodes that are not ready
179 | - Large number of pods that are not in a Running state
180 | - External-DNS errors registering records
181 | 
182 | ## Kubernetes Security Tools
183 | - [Penetration tool - Peirates](https://github.com/inguardians/peirates)
184 | - [Kube-hunter](https://github.com/aquasecurity/kube-hunter)
185 | - [FairwindsOps/Polaris](https://github.com/FairwindsOps/Polaris). Validation of best practices in your Kubernetes clusters.
186 | - [Kubescape](https://github.com/kubescape/kubescape)
187 | - [AquaSecurity/appshield](https://github.com/aquasecurity/appshield). Security configuration checks for popular cloud native applications and infrastructure.
188 | - [Trivy-operator]
189 | 
190 | ## Kubernetes Security Guides
191 | - [Kubernetes Hardening Guide by NSA/CISA](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF)
192 | - [Containers Matrix by Mitre](https://attack.mitre.org/matrices/enterprise/containers/)
193 | 
194 | ## Kubernetes CI/CD Artifacts
195 | - argoCD
196 | - gitops
197 | - terraform
198 | - helm
199 | - Istio help handling mutual TLS encryption inside the cluster.
200 | 
201 | ## Further reading:
202 | - [Fairwinds - Kubernetes Best Practices](https://f.hubspotusercontent40.net/hubfs/2184645/Kubernetes-Best-Practices-WhitePaper.pdf)
203 | - [Kubernetes Security Cheat Sheet by Owasp](https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html)
204 | - [gaps in your public cloud kubernetes security posture](https://itnext.io/how-to-spot-gaps-in-your-public-cloud-kubernetes-security-posture-b9cd375f1b25)
205 | ## Collaborate
206 | 
207 | If you find any typos, errors, outdated resources; or if you have a different point of view. Please open a pull request or contact me.
208 | 
209 | Pull requests and stars are always welcome 🙌
210 | 


--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | theme: jekyll-theme-minimal


--------------------------------------------------------------------------------
/img/4c-cloud-native.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/krol3/kubernetes-security-checklist/6557c718de80251be19397f7e587b51e4e7af7a0/img/4c-cloud-native.png


--------------------------------------------------------------------------------
/img/container-signing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/krol3/kubernetes-security-checklist/6557c718de80251be19397f7e587b51e4e7af7a0/img/container-signing.png


--------------------------------------------------------------------------------
/img/infra-k8s-security.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/krol3/kubernetes-security-checklist/6557c718de80251be19397f7e587b51e4e7af7a0/img/infra-k8s-security.png


--------------------------------------------------------------------------------
/img/network-k8s.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/krol3/kubernetes-security-checklist/6557c718de80251be19397f7e587b51e4e7af7a0/img/network-k8s.png


--------------------------------------------------------------------------------