K8
Kubernetes Security
RBAC, pod security standards, network policies, and secrets management
Details
Language / Topic
KubernetesCategory
Security
Rules
balanced
- Apply least-privilege RBAC: create specific Roles per namespace, never grant cluster-admin to applications
- Set Pod Security Standards: enforce "restricted" profile in production namespaces via Pod Security Admission
- Use network policies to restrict pod-to-pod traffic — default deny all ingress, allow only required paths
- Never store secrets as plain ConfigMaps — use Kubernetes Secrets with encryption at rest enabled
- Run containers as non-root with readOnlyRootFilesystem: true and drop all capabilities
- Least-privilege RBAC: namespace-scoped Roles (not ClusterRoles); bind to ServiceAccounts, not users directly
- Pod Security Standards: enforce "restricted" in prod, "baseline" in staging via PodSecurity admission controller
- Network policies: default-deny ingress/egress per namespace; explicitly allow required communication paths
- Secrets: enable encryption at rest (EncryptionConfiguration), use External Secrets Operator or Sealed Secrets for GitOps
- Non-root containers: runAsNonRoot: true, readOnlyRootFilesystem: true, drop ALL capabilities, add only needed ones
- Image security: use private registries, enable image policy webhook, scan images before deployment
- Service accounts: set automountServiceAccountToken: false on pods that don't need API access
- Use resource quotas and limit ranges per namespace to prevent resource exhaustion across tenants
- Audit logging: enable Kubernetes audit logs, ship to SIEM for anomaly detection
- Regularly update Kubernetes and node OS; subscribe to security advisories (CVE tracking)
- Use Pod Disruption Budgets to maintain availability during node upgrades and voluntary disruptions