🔐 Kubernetes Security: Best Practices and Implementation

Kubernetes Security: Protecting Your Cluster and Applications

In this advanced tutorial, we’ll dive deep into Kubernetes security practices and implementations that every DevOps engineer should know.

What We’ll Cover

  1. Role-Based Access Control (RBAC)
  2. Pod Security Policies
  3. Network Policies
  4. Security Context and Pod Security Standards
  5. Secret Management
  6. Security Scanning Tools

Prerequisites

  • Working knowledge of Kubernetes
  • Access to a Kubernetes cluster (we’ll use Kind)
  • Basic understanding of security concepts

RBAC Implementation

First, let’s create a restrictive role for developers:

# developer-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]

Binding the role to users:

# role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-binding
  namespace: development
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

Network Policies

Implementing a default deny policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Allow specific traffic:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-allow
spec:
  podSelector:
    matchLabels:
      app: api
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

Pod Security Standards

Implementing Pod Security Standards:

apiVersion: v1
kind: Namespace
metadata:
  name: secure-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Security Context Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - name: secure-container
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL

Implementing Secret Management

Using sealed secrets with Bitnami’s sealed-secrets controller:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
spec:
  encryptedData:
    config.yaml: <encrypted-data>

Security Scanning

Setting up Trivy for vulnerability scanning:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: trivy-scan
spec:
  schedule: "0 0 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: trivy
            image: aquasec/trivy
            args:
              - image
              - --severity
              - HIGH,CRITICAL
              - nginx:latest

Best Practices Checklist

  1. Access Control:
    • Implement RBAC
    • Use service accounts
    • Regular access review
  2. Network Security:
    • Default deny policies
    • Segment network access
    • Use TLS everywhere
  3. Pod Security:
    • Non-root users
    • Read-only root filesystem
    • Drop capabilities
  4. Monitoring:
    • Audit logging
    • Security scanning
    • Alert configuration

Video Resources

Security Deep Dives

Implementation Guides

Advanced Topics

Additional Resources

Written on July 30, 2025