fixup! Update baseline cluster security (#475)

Signed-off-by: Hannes Baum <[email protected]>
SovereignCloudStack · May 23, 2024 · a2adca5 · a2adca5
1 parent d442497
commit a2adca5
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/Standards/scs-0217-v1-cluster-hardening.md b/Standards/scs-0217-v1-cluster-hardening.md
@@ -110,15 +110,15 @@ etcd provides options for all these scenarios, including `--peer-key-file=peer.k
 for securing peer communication and the flags `--key-file=k8sclient.key` and `--cert-file=k8sclient.cert` for securing
 client communication (and therefore cluster communication).
 Additionally, HTTPS should be used as the URL schema.
-It is also possibly to use a separate CA for the etcd in order to separate and better control access through client
+It is also possible to use a separate CA for the etcd in order to separate and better control access through client
 certificates, since etcd by default trusts all the certificates issued by the root CA [2][nsa-cisa].
 More information about authentication via TLS is provided in the chapter [ACL restrictions](#acl-restrictions).
 
 ### Securing endpoints
 
 Kubernetes provides a well-defined set of ports in its default configuration. These ports are
-used for inter-component communication as well as external access. Due to the distribution of
-and information about Kubernetes clusters, it is easy for a bad actor to identify a clusters
+used for inter-component communication as well as external access. Due to the distribution of information
+about Kubernetes clusters, it is easy for a bad actor to identify a clusters
 ports and try to attack them. In order to minimize the attack vector, internal ports (and therefore components)
 should not be accessible from external networks, except if there are requirements to enable this behavior.
 
@@ -182,8 +182,8 @@ the following (a more complete or up-to-date list may be found in the [Kubernete
 - *Static Token Files*
 
   This method reads bearer tokens from requests and checks them against a CSV file provided to Kubernetes containing
-  three columns named `token`, `username` and `uid`. These tokens last indefinitely and the list cant be changed without a
-  restart of the API server. This makes this option unsuitable for production clusters.
+  three columns named `token`, `username` and `uid`. These tokens last indefinitely and the list can't be changed
+  without a restart of the API server. This makes this option unsuitable for production clusters.
 
 - *Service Account Tokens*
 
@@ -390,7 +390,7 @@ settings that provide different security improvements without being too intrusiv
 
 Kubernetes clusters MUST be updated regularly in order to receive bugfixes and security patches.
 For more information refer to the [SCS K8s Version Policy](scs-0210-v2-k8s-version-policy.md),
-which outlines the update policies of the SCS.
+which outlines the version update policies of the SCS.
 
 Hardening etcd is important due to it being a critical component inside a Kubernetes cluster.
 etcd SHOULD be isolated from the Kubernetes cluster by being hosted on separate (virtual) machines.