← Back to Kubernetes Mastery
Advanced15 min read

Security

Secure Kubernetes clusters with RBAC, network policies, pod security standards, and encryption for production-grade protection.

Role-Based Access Control

RBAC controls who can perform what actions on which resources. Roles define permissions within a namespace. ClusterRoles apply cluster-wide. Bind roles to users, groups, or service accounts with RoleBinding or ClusterRoleBinding.

Follow least privilege: grant only the permissions needed. Use dedicated service accounts per application, not the default service account.

  • Audit RBAC with kubectl auth can-i --list
  • Avoid cluster-admin for application service accounts
  • Use impersonation for debugging: kubectl --as=system:serviceaccount:ns:sa
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: staging
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list", "watch"]

Pod Security Standards

Pod Security Standards define three levels: Privileged (unrestricted), Baseline (minimally restrictive), and Restricted (heavily restricted). Enforce with Pod Security admission labels on namespaces.

Restricted policies prevent: running as root, privilege escalation, host namespace sharing, and require dropping all capabilities.

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest

Network Security

Default Kubernetes allows all pod-to-pod communication. Implement default-deny network policies and explicitly allow required traffic paths. Segment namespaces with network policies.

Combine network policies with service mesh (Istio, Linkerd) for mTLS encryption between services and fine-grained authorization.

# Default deny all ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes: [Ingress]

Encryption

Enable encryption at rest for etcd secrets with a KMS provider. Use TLS for all API communication (enabled by default). Encrypt data in transit between services with service mesh mTLS.

Rotate certificates regularly. Use cert-manager for automated TLS certificate provisioning for Ingress resources.

# cert-manager Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: app-tls
spec:
  secretName: app-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - app.example.com

Security Scanning and Compliance

Scan container images for CVEs in CI before deployment. Use OPA Gatekeeper or Kyverno to enforce policies — required labels, banned image registries, resource limits mandatory.

Run kube-bench to audit cluster configuration against CIS benchmarks. Regular security audits and penetration testing validate your security posture.

# Kyverno policy: require resource limits
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-resources
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-resources
      match:
        resources:
          kinds: [Pod]
      validate:
        message: "CPU and memory limits required"
        pattern:
          spec:
            containers:
              - resources:
                  limits:
                    memory: "?*"
                    cpu: "?*"

Get In Touch

Ready to discuss your next project? Drop me a message.