Linux on Adurhttps://adurrr.github.io/en/tags/linux/Recent content in Linux on AdurHugo -- gohugo.ioenThu, 14 Sep 2023 00:00:00 +0000How I hardened my K3s homelabhttps://adurrr.github.io/en/p/how-i-hardened-my-k3s-homelab/Thu, 14 Sep 2023 00:00:00 +0000https://adurrr.github.io/en/p/how-i-hardened-my-k3s-homelab/<h2 id="starting-point">Starting point </h2><p>I have been running K3s on a couple of physical machines at home for a while. I originally set it up to learn Kubernetes without deploying something heavy, and over time I started using it for small projects: a few web apps, monitoring services, things like that. The setup worked fine but I had never sat down to think carefully about security.</p> <p>A few months ago I decided to do that exercise. No rush, no generic checklist from the internet. Just look at what I had, understand what was wrong, and fix it.</p> <p>What I found was not catastrophic, but there were quite a few things I did not like. I am writing this down because K3s has its own quirks compared to a standard Kubernetes cluster, and most hardening guides cover kubeadm or managed clusters, not home setups running on a single binary.</p> <h2 id="what-makes-k3s-different">What makes K3s different </h2><p>Before getting into what I did, it is worth understanding what makes K3s distinct from a security standpoint.</p> <p>K3s packages everything in a single binary: API server, scheduler, controller manager, kubelet, kube-proxy, and containerd. Instead of etcd it uses SQLite by default. The default CNI is Flannel. The default ingress controller is Traefik. All of this makes the installation very simple, but it also means there are active components you might not need, and some design decisions favor ease of use over security.</p> <p>The main configuration file lives at <code>/etc/rancher/k3s/config.yaml</code>. That is where most of what I am going to touch ends up.</p> <h2 id="the-node-before-the-cluster">The node before the cluster </h2><p>Before touching anything Kubernetes-related, the operating system. The cluster runs on Debian, so I started there.</p> <h3 id="ssh">SSH </h3><p>I had password authentication enabled. That is the first thing to turn off:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"># /etc/ssh/sshd_config </span></span><span class="line"><span class="cl">PasswordAuthentication no </span></span><span class="line"><span class="cl">PermitRootLogin no </span></span><span class="line"><span class="cl">AllowUsers myuser </span></span></code></pre></td></tr></table> </div> </div><p>I also changed the default port. It does not stop someone determined from finding you, but it eliminates a lot of noise in the logs.</p> <h3 id="firewall-with-nftables">Firewall with nftables </h3><p>The machine had its network interfaces completely open. With a home K3s cluster, the API server (port 6443) should not be reachable from outside your local network. My basic rules with nftables:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># List active ruleset</span> </span></span><span class="line"><span class="cl">nft list ruleset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Restrictive default policy</span> </span></span><span class="line"><span class="cl">nft add chain inet filter input <span class="o">{</span> <span class="nb">type</span> filter hook input priority <span class="m">0</span> <span class="se">\;</span> policy drop <span class="se">\;</span> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow loopback and established connections</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input iifname lo accept </span></span><span class="line"><span class="cl">nft add rule inet filter input ct state established,related accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># SSH only from local network</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input ip saddr 192.168.1.0/24 tcp dport <span class="m">22</span> accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># K3s API server only from local network</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input ip saddr 192.168.1.0/24 tcp dport <span class="m">6443</span> accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Kubernetes node ports</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input tcp dport 30000-32767 accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Traefik (if used as ingress)</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input tcp dport <span class="o">{</span> 80, <span class="m">443</span> <span class="o">}</span> accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ICMP</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input icmp <span class="nb">type</span> echo-request accept </span></span></code></pre></td></tr></table> </div> </div><p>What surprised me when reviewing this: the API server was listening on all interfaces and was reachable directly from the WAN because the router had a port forward for another service that was dragging along some traffic. Small scare, nothing exploited, but not something I wanted to leave.</p> <h3 id="kernel-parameters">Kernel parameters </h3><p>K3s with the <code>--protect-kernel-defaults</code> flag verifies that certain kernel parameters are set correctly. If they are not, startup fails with a clear message. Better to configure them beforehand:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># /etc/sysctl.d/90-k3s-hardening.conf</span> </span></span><span class="line"><span class="cl">kernel.panic <span class="o">=</span> <span class="m">10</span> </span></span><span class="line"><span class="cl">kernel.panic_on_oops <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl">vm.overcommit_memory <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl">vm.panic_on_oom <span class="o">=</span> <span class="m">0</span> </span></span><span class="line"><span class="cl">fs.inotify.max_user_watches <span class="o">=</span> <span class="m">524288</span> </span></span><span class="line"><span class="cl">fs.inotify.max_user_instances <span class="o">=</span> <span class="m">512</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sysctl --system </span></span></code></pre></td></tr></table> </div> </div><h2 id="k3s-configuration">K3s configuration </h2><p>With the node in order, onto the cluster.</p> <h3 id="base-configuration-file">Base configuration file </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/rancher/k3s/config.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">write-kubeconfig-mode</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0600&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">protect-kernel-defaults</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">secrets-encryption</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kube-apiserver-arg</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;anonymous-auth=false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;audit-log-path=/var/log/k3s/audit.log&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;audit-log-maxage=30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;audit-policy-file=/etc/rancher/k3s/audit-policy.yaml&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kube-controller-manager-arg</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;terminated-pod-gc-threshold=10&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kubelet-arg</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;streaming-connection-idle-timeout=5m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;protect-kernel-defaults=true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;make-iptables-util-chains=true&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The three most important lines here:</p> <ul> <li><code>secrets-encryption: true</code> enables encryption at rest for Kubernetes secrets. In K3s this is a first-class flag, no need to configure <code>EncryptionConfiguration</code> manually like in kubeadm.</li> <li><code>anonymous-auth=false</code> removes anonymous access to the API server.</li> <li><code>write-kubeconfig-mode: &quot;0600&quot;</code> enforces restrictive permissions on the kubeconfig that K3s generates at <code>/etc/rancher/k3s/k3s.yaml</code>.</li> </ul> <h3 id="audit-policy">Audit policy </h3><p>Without audit logs you have no idea what is happening in your cluster. This is a reasonable minimum:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/rancher/k3s/audit-policy.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">audit.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Metadata</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;secrets&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">RequestResponse</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods/exec&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;pods/attach&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Request</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;create&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;update&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;patch&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;delete&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">None</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">users</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;system:kube-proxy&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;watch&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;endpoints&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;services&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;services/status&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Metadata</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">omitStages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">RequestReceived</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The logs go to <code>/var/log/k3s/audit.log</code>. In my case I collect them with Promtail and send them to Loki, so I can run queries from Grafana when I need to review something.</p> <h3 id="kubeconfig">Kubeconfig </h3><p>The kubeconfig K3s generates at <code>/etc/rancher/k3s/k3s.yaml</code> has admin credentials. A mistake I spotted in my own setup: I had that file copied to <code>~/.kube/config</code> with 644 permissions. Any process running under my user could read it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Correct permissions</span> </span></span><span class="line"><span class="cl">chmod <span class="m">600</span> ~/.kube/config </span></span></code></pre></td></tr></table> </div> </div><p>If you have additional users who need cluster access, create ServiceAccounts or use client certificates with limited RBAC. Do not distribute the admin kubeconfig.</p> <h2 id="cni-from-flannel-to-cilium">CNI: from Flannel to Cilium </h2><p>Flannel is the K3s default. It works, but it does not support NetworkPolicies out of the box. That means all pods can communicate with each other without restriction.</p> <p>I switched to Cilium. The process with K3s requires disabling Flannel first:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/rancher/k3s/config.yaml (add)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">flannel-backend</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">disable-network-policy</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Then install Cilium with Helm:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo add cilium https://helm.cilium.io/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">helm install cilium cilium/cilium <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace kube-system <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set operator.replicas<span class="o">=</span><span class="m">1</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set ipam.mode<span class="o">=</span>kubernetes <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set <span class="nv">kubeProxyReplacement</span><span class="o">=</span>strict <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set <span class="nv">k8sServiceHost</span><span class="o">=</span>192.168.1.10 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set <span class="nv">k8sServicePort</span><span class="o">=</span><span class="m">6443</span> </span></span></code></pre></td></tr></table> </div> </div><p>With <code>kubeProxyReplacement=strict</code>, Cilium also replaces kube-proxy, which gives better performance with eBPF and better network traffic visibility.</p> <p>After the switch I started applying NetworkPolicies. The first and most important one: default deny in all application namespaces:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-deny-all</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">apps</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>From there, explicitly allowing only what is necessary.</p> <h2 id="secrets-what-to-do-when-it-is-just-k3s">Secrets: what to do when it is just K3s </h2><p>In a corporate environment you would use Vault or External Secrets Operator backed by AWS Secrets Manager or similar. In a homelab that is overkill. My solution was simpler.</p> <p>K3s&rsquo;s encryption at rest already protects secrets in the database. For manifests in Git I use <code>age</code> to encrypt sensitive values before committing them:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Encrypt a value</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;my-real-password&#34;</span> <span class="p">|</span> age -r <span class="k">$(</span>cat ~/.config/age/recipient.txt<span class="k">)</span> <span class="p">|</span> base64 </span></span></code></pre></td></tr></table> </div> </div><p>The encrypted value goes into the repository. Deploying it requires a manual decryption step. Less convenient than an automatic operator, but for a homelab it is good enough and does not add operational complexity.</p> <h2 id="falco-for-runtime-detection">Falco for runtime detection </h2><p>Everything above is prevention. Falco is detection: it monitors system calls and generates alerts when something suspicious happens inside a container.</p> <p>I installed it with Helm:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span class="line"><span class="cl">helm install falco falcosecurity/falco <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace falco <span class="se">\ </span></span></span><span class="line"><span class="cl"> --create-namespace <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set driver.kind<span class="o">=</span>ebpf </span></span></code></pre></td></tr></table> </div> </div><p>The default rules already cover quite a bit: shell execution in containers, writes to system directories, privilege changes, unexpected network connections. I added some custom rules for my specific use case.</p> <p>Alerts go to Loki as well. That way I have the API server audit logs and Falco alerts in the same place.</p> <h2 id="pod-security-standards">Pod Security Standards </h2><p>With K3s &gt;= 1.25 you can use Pod Security Admission directly. I applied the <code>baseline</code> level on application namespaces and <code>restricted</code> where possible:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">apps</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce</span><span class="p">:</span><span class="w"> </span><span class="l">baseline</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/warn</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>restricted</code> level is strict: containers cannot run as root, the root filesystem must be read-only, and all Linux capabilities must be dropped. Some of the workloads I had deployed did not comply. I fixed them one by one before raising the <code>enforce</code> level.</p> <h2 id="what-i-left-for-later">What I left for later </h2><p>Not everything is perfect. There are things I know I should do that I have not gotten to yet.</p> <p><strong>Rootless K3s</strong>: you can run K3s entirely without root, which reduces the impact of a potential privilege escalation. I have looked into it and it has some limitations with certain network features, but for my use case it should work.</p> <p><strong>Image verification with cosign</strong>: signing and verifying images before deploying them. I have a private registry for my own images and the third-party ones I use, but I am not verifying signatures yet.</p> <p><strong>CIS Benchmark</strong>: K3s has official documentation for the CIS K3s benchmark. I have reviewed it partially but have not run kube-bench systematically to see what is still pending.</p> <h2 id="what-i-learned">What I learned </h2><p>The default K3s installation is surprisingly reasonable for what it is: a distribution designed to be easy to deploy. But &ldquo;reasonable&rdquo; is not the same as &ldquo;hardened.&rdquo;</p> <p>What surprised me most was how easy most of the changes turned out to be. K3s has first-class flags for many things that require manual configuration in kubeadm. The <code>secrets-encryption</code>, <code>protect-kernel-defaults</code>, the audit policy directly in the config file. It is not that hard if you sit down and read the documentation.</p> <p>The biggest risk in a homelab is not that someone on the internet attacks you directly. It is that you have a bunch of services running on the same network as your personal life, and if one gets compromised, the blast radius can be larger than it seems. Worth taking seriously even if it is a toy environment.</p>