nickcrew/kubernetes-security-policies

Kubernetes Security Policies

Comprehensive guidance for implementing security policies in Kubernetes clusters, covering Pod Security Standards, Network Policies, RBAC, Security Contexts, admission control, secrets management, and runtime security for production-grade hardened deployments.

When to Use This Skill

• Implementing Pod Security Standards (PSS/PSA) across namespaces
• Designing and enforcing Network Policies for micro-segmentation
• Configuring RBAC with least-privilege access control
• Setting Security Contexts for container hardening
• Deploying admission controllers (OPA/Gatekeeper, Kyverno)
• Managing secrets and sensitive data securely
• Implementing image security and vulnerability scanning
• Enforcing runtime security policies and threat detection
• Meeting compliance requirements (CIS, NIST, PCI-DSS, SOC2)
• Conducting security audits and hardening assessments

Core Security Concepts

Pod Security Standards (PSS): Three progressive security levels enforced via Pod Security Admission (PSA):

• Privileged: Unrestricted (default)
• Baseline: Prevents known privilege escalations
• Restricted: Pod hardening best practices (production recommended)

Network Policies: Zero-trust micro-segmentation controlling pod-to-pod and pod-to-external traffic using label selectors and namespace isolation.

RBAC (Role-Based Access Control): Least-privilege access control using ServiceAccounts, Roles, RoleBindings for namespace-scoped permissions, and ClusterRoles for cluster-wide access.

Security Contexts: Container and pod-level security settings including user/group IDs, capabilities, seccomp profiles, and filesystem restrictions.

Admission Control: Policy enforcement at API admission time using OPA Gatekeeper (Rego) or Kyverno (YAML) to validate, mutate, or reject resources.

Secrets Management: External secret storage integration (Vault, AWS Secrets Manager, Sealed Secrets) instead of native Kubernetes secrets.

Image Security: Vulnerability scanning, signature verification, digest-based immutability, and private registry authentication.

Quick Reference

| Task | Load reference | | --- | --- | | Pod Security Standards (PSS/PSA) | skills/kubernetes-security-policies/references/pod-security-standards.md | | Network Policies | skills/kubernetes-security-policies/references/network-policies.md | | RBAC (Roles, ServiceAccounts) | skills/kubernetes-security-policies/references/rbac.md | | Security Contexts (capabilities, seccomp) | skills/kubernetes-security-policies/references/security-contexts.md | | Admission Control (OPA, Kyverno) | skills/kubernetes-security-policies/references/admission-control.md | | Secrets Management (Vault, ESO) | skills/kubernetes-security-policies/references/secrets-management.md | | Image Security (scanning, signing) | skills/kubernetes-security-policies/references/image-security.md | | Best Practices & Compliance | skills/kubernetes-security-policies/references/best-practices.md |

Security Implementation Workflow

Phase 1: Baseline Assessment

1. Audit current security posture with kube-bench or kubescape
2. Identify gaps against CIS Kubernetes Benchmark
3. Document compliance requirements (PCI-DSS, NIST, SOC2)

Phase 2: Pod Security Standards

1. Enable PSA audit mode on all namespaces
2. Identify violations using kubectl get pods -A --show-labels
3. Remediate workloads to meet baseline/restricted standards
4. Progressively enforce: dev (warn) → staging (baseline) → prod (restricted)

Phase 3: Network Segmentation

1. Deploy default-deny NetworkPolicy to all namespaces
2. Create explicit allow rules for required traffic flows
3. Implement database isolation policies
4. Add monitoring/observability exceptions

Phase 4: Access Control (RBAC)

1. Audit existing RBAC with kubectl auth can-i --list
2. Create dedicated ServiceAccounts per application
3. Define least-privilege Roles with specific resource/verb restrictions
4. Disable automountServiceAccountToken by default
5. Minimize ClusterRole usage

Phase 5: Admission Control

1. Choose policy engine: OPA Gatekeeper (Rego) or Kyverno (YAML)
2. Implement validation policies: require labels, resource limits, non-root
3. Add mutation policies: inject security contexts, sidecar containers
4. Enforce image policies: disallow latest tag, require signatures

Phase 6: Secrets Management

1. Deploy External Secrets Operator or Vault integration
2. Migrate native Secrets to external secret stores
3. Enable encryption at rest for etcd
4. Implement secret rotation policies

Phase 7: Image Security

1. Integrate vulnerability scanning in CI/CD (Trivy, Snyk)
2. Implement image signing with Sigstore/Cosign
3. Enforce signature verification via admission control
4. Use immutable image digests instead of tags

Phase 8: Runtime Security

1. Deploy Falco for runtime threat detection
2. Enable Kubernetes audit logging
3. Configure alerts for security events
4. Implement intrusion detection policies

Common Mistakes

Pod Security:

• Running containers as root (always set runAsNonRoot: true)
• Using privileged containers (avoid unless absolutely necessary)
• Writable root filesystem (set readOnlyRootFilesystem: true)
• Missing resource limits (required for restricted PSS)

Network Policies:

• No default-deny policy (unrestricted pod-to-pod traffic)
• Overly permissive egress rules (allow all external traffic)
• Forgetting DNS egress (pods can't resolve names)
• Missing monitoring/observability exceptions

RBAC:

• Overly broad ClusterRole permissions (violates least privilege)
• Sharing ServiceAccounts across applications
• Using * verbs or resources in Roles
• Not auditing RBAC permissions regularly

Secrets:

• Committing secrets to Git repositories
• Using environment variables instead of mounted files
• Relying on base64 encoding as encryption
• No secret rotation policy

Admission Control:

• Enforcing policies without audit phase first
• Blocking kube-system namespace accidentally
• No policy testing in staging environment
• Missing exemptions for system components

Images:

• Using latest tag (not immutable, breaks reproducibility)
• No vulnerability scanning in CI/CD
• Unsigned images in production
• Large base images (use distroless or Alpine)

Resources

• Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/
• Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/
• RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
• OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/
• Kyverno: https://kyverno.io/docs/
• External Secrets Operator: https://external-secrets.io/
• Falco Runtime Security: https://falco.org/docs/
• CIS Benchmarks: https://www.cisecurity.org/benchmark/kubernetes
• NSA/CISA Hardening Guide: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF