Kubernetes Security Policies
Comprehensive guidance for implementing security policies in Kubernetes clusters, covering Pod Security Standards, Network Policies, RBAC, Security Contexts, admission control, secrets management, and runtime security for production-grade hardened deployments.
When to Use This Skill
- Implementing Pod Security Standards (PSS/PSA) across namespaces
- Designing and enforcing Network Policies for micro-segmentation
- Configuring RBAC with least-privilege access control
- Setting Security Contexts for container hardening
- Deploying admission controllers (OPA/Gatekeeper, Kyverno)
- Managing secrets and sensitive data securely
- Implementing image security and vulnerability scanning
- Enforcing runtime security policies and threat detection
- Meeting compliance requirements (CIS, NIST, PCI-DSS, SOC2)
- Conducting security audits and hardening assessments
Core Security Concepts
Pod Security Standards (PSS):
Three progressive security levels enforced via Pod Security Admission (PSA):
- Privileged: Unrestricted (default)
- Baseline: Prevents known privilege escalations
- Restricted: Pod hardening best practices (production recommended)
Network Policies:
Zero-trust micro-segmentation controlling pod-to-pod and pod-to-external traffic using label selectors and namespace isolation.
RBAC (Role-Based Access Control):
Least-privilege access control using ServiceAccounts, Roles, RoleBindings for namespace-scoped permissions, and ClusterRoles for cluster-wide access.
Security Contexts:
Container and pod-level security settings including user/group IDs, capabilities, seccomp profiles, and filesystem restrictions.
Admission Control:
Policy enforcement at API admission time using OPA Gatekeeper (Rego) or Kyverno (YAML) to validate, mutate, or reject resources.
Secrets Management:
External secret storage integration (Vault, AWS Secrets Manager, Sealed Secrets) instead of native Kubernetes secrets.
Image Security:
Vulnerability scanning, signature verification, digest-based immutability, and private registry authentication.
Quick Reference
| Task | Load reference |
|---|
| Pod Security Standards (PSS/PSA) | skills/kubernetes-security-policies/references/pod-security-standards.md
|
| Network Policies | skills/kubernetes-security-policies/references/network-policies.md
|
| RBAC (Roles, ServiceAccounts) | skills/kubernetes-security-policies/references/rbac.md
|
| Security Contexts (capabilities, seccomp) | skills/kubernetes-security-policies/references/security-contexts.md
|
| Admission Control (OPA, Kyverno) | skills/kubernetes-security-policies/references/admission-control.md
|
| Secrets Management (Vault, ESO) | skills/kubernetes-security-policies/references/secrets-management.md
|
| Image Security (scanning, signing) | skills/kubernetes-security-policies/references/image-security.md
|
| Best Practices & Compliance | skills/kubernetes-security-policies/references/best-practices.md
|
Security Implementation Workflow
Phase 1: Baseline Assessment
- Audit current security posture with kube-bench or kubescape
- Identify gaps against CIS Kubernetes Benchmark
- Document compliance requirements (PCI-DSS, NIST, SOC2)
Phase 2: Pod Security Standards
- Enable PSA audit mode on all namespaces
- Identify violations using
kubectl get pods -A --show-labels
- Remediate workloads to meet baseline/restricted standards
- Progressively enforce: dev (warn) → staging (baseline) → prod (restricted)
Phase 3: Network Segmentation
- Deploy default-deny NetworkPolicy to all namespaces
- Create explicit allow rules for required traffic flows
- Implement database isolation policies
- Add monitoring/observability exceptions
Phase 4: Access Control (RBAC)
- Audit existing RBAC with
kubectl auth can-i --list
- Create dedicated ServiceAccounts per application
- Define least-privilege Roles with specific resource/verb restrictions
- Disable
automountServiceAccountToken
- Minimize ClusterRole usage
Phase 5: Admission Control
- Choose policy engine: OPA Gatekeeper (Rego) or Kyverno (YAML)
- Implement validation policies: require labels, resource limits, non-root
- Add mutation policies: inject security contexts, sidecar containers
- Enforce image policies: disallow latest tag, require signatures
Phase 6: Secrets Management
- Deploy External Secrets Operator or Vault integration
- Migrate native Secrets to external secret stores
- Enable encryption at rest for etcd
- Implement secret rotation policies
Phase 7: Image Security
- Integrate vulnerability scanning in CI/CD (Trivy, Snyk)
- Implement image signing with Sigstore/Cosign
- Enforce signature verification via admission control
- Use immutable image digests instead of tags
Phase 8: Runtime Security
- Deploy Falco for runtime threat detection
- Enable Kubernetes audit logging
- Configure alerts for security events
- Implement intrusion detection policies
Common Mistakes
Pod Security:
- Running containers as root (always set )
- Using privileged containers (avoid unless absolutely necessary)
- Writable root filesystem (set
readOnlyRootFilesystem: true
- Missing resource limits (required for restricted PSS)
Network Policies:
- No default-deny policy (unrestricted pod-to-pod traffic)
- Overly permissive egress rules (allow all external traffic)
- Forgetting DNS egress (pods can't resolve names)
- Missing monitoring/observability exceptions
RBAC:
- Overly broad ClusterRole permissions (violates least privilege)
- Sharing ServiceAccounts across applications
- Using verbs or resources in Roles
- Not auditing RBAC permissions regularly
Secrets:
- Committing secrets to Git repositories
- Using environment variables instead of mounted files
- Relying on base64 encoding as encryption
- No secret rotation policy
Admission Control:
- Enforcing policies without audit phase first
- Blocking kube-system namespace accidentally
- No policy testing in staging environment
- Missing exemptions for system components
Images:
- Using tag (not immutable, breaks reproducibility)
- No vulnerability scanning in CI/CD
- Unsigned images in production
- Large base images (use distroless or Alpine)
Resources