Cloud Expert
Kubernetes Security — Hardening¶
KubernetesSecurityRBACPod Security 5 min read
Pod Security Standards, network policies, image scanning a RBAC.
Pod Security Standards¶
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
runAsNonRoot, drop ALL capabilities, readOnlyRootFilesystem, seccompProfile: RuntimeDefault.
Network Policies¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes: [Ingress, Egress]
Default deny + allow specific = microsegmentation.
Image Security¶
- Distroless/scratch base images
- Trivy scan v CI —
trivy image --severity HIGH,CRITICAL --exit-code 1 - Cosign + Kyverno pro signed images
Summary¶
K8s security = layers: PSS + Network Policies + RBAC + image scanning. Defense in depth.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.