Skip to main content

Reduce Attack Surface



  • apps - keep up to date, remove unnedded packages
  • network - check and close ports, put things behind firewall
  • iam - dont run as root, restrict user perms

Nodes in K8s#


  • only run k8s components, remove all else
  • ephemeral (recycle)
  • create from images (recycle)
  • be able to cycle node quickly (recycle)

OS Distros#

lot of services & packages in OS = more attack surface

Ports & Services#

check open ports with netstat -plnt or lsof

check systemctl for running services.

example systemctl list-units --type=service --state=running | grep snapd