cloudnative wiki

L07 — Security

5 min read

L07 — Security

Five concerns that all get called “Kubernetes security”:

  1. Who can talk to the API (authentication, RBAC, ServiceAccounts)
  2. What a pod is allowed to do (SecurityContext, Pod Security Standards, NetworkPolicy — see L04)
  3. Encrypting data in transit and at rest (TLS / mTLS, etcd encryption, Secret encryption, SPIFFE)
  4. What code/images are allowed to run (admission control, image hardening, signing, OPA / Kyverno)
  5. Detecting the bad things that got through (audit logging, runtime detection, seccomp / AppArmor, runtime sandboxing)

This level covers all five.

What you’ll understand after this level

  • The authN / authZ split — who are you, what can you do, the apiserver’s pipeline
  • RBAC — Role, ClusterRole, RoleBinding, ClusterRoleBinding, the verbs, the subresources, the aggregation model
  • ServiceAccounts — workload identity, bound tokens, IRSA / Pod Identity, automount
  • Certificates and PKI — the cluster CA, the front-proxy CA, the SA signing key, kubelet cert rotation
  • TLS / mTLS — control plane mTLS, in-cluster mTLS via service mesh, SPIFFE / SPIRE workload identity
  • Admission control — the mutating / validating pipeline, built-in plugins, dynamic webhooks
  • Policy engines — PSS (built-in), OPA / Gatekeeper, Kyverno — the three options
  • Encryption at rest — etcd encryption (KMS-backed), Secret encryption
  • Audit logging — the apiserver’s forensic record, the policy, the stages
  • Workload sandboxing — seccomp, AppArmor, gVisor, Kata Containers
  • Runtime detection — Falco, Tetragon, eBPF-based observability
  • Image hardening — distroless, scratch, multi-stage builds, scanning, signing
  • SBOMs — SPDX / CycloneDX, generation, signing, VEX, cluster-wide vulnerability monitoring
  • Cluster and node hardening — apiserver flags, kubelet config, CIS benchmarks
  • Compliance — NIST 800-190, CIS Kubernetes Benchmark, OWASP k8s Top 10, SLSA, PCI-DSS / SOC2 / HIPAA / FedRAMP

Notes in this level

API access (authN / authZ, RBAC, ServiceAccounts, Certificates)

NoteStatusWhat’s in it
AuthN vs AuthZThe split, the chain, OIDC, impersonation, anonymous auth footgun
ServiceAccountsBound tokens, projected volumes, IRSA, automount, default SA footgun
RBACRole/ClusterRole/Binding, verbs, subresources, aggregation, impersonate/escalate
CertificatesFull cluster PKI, CAs, kubelet cert rotation, front-proxy CA

Workload sandboxing (PSS, SecurityContext, seccomp, AppArmor, runtime)

NoteStatusWhat’s in it
SecurityContextEvery field, the runAsUser/Group, capabilities, readOnlyRootFilesystem, seccomp
PSSThe three profiles, enforce/audit/warn, namespace labels, migration cookbook
AppArmorKernel-level filters, RuntimeDefault, Localhost, profile generation
Runtime SandboxinggVisor, Kata Containers, RuntimeClass, performance / compatibility tradeoffs
Runtime DetectionFalco, Tetragon, eBPF, the philosophy (detect vs prevent)
Image Hardeningdistroless, scratch, multi-stage, vulnerability scanning, image signing, SBOM

Encryption and identity in transit (TLS, mTLS, SPIFFE, etcd / Secret encryption)

NoteStatusWhat’s in it
mTLSTLS handshake, mTLS, in-cluster mTLS, cert rotation, the cluster CA bundle
SPIREWorkload identity, SVIDs, the trust bundle, service-mesh mTLS
etcd EncryptionEncryptionConfiguration, KMS providers, envelope encryption, key rotation
Secret EncryptionThe three states (at rest, in transit, in use), external managers, ESO, sealed-secrets, SOPS

Admission control and policy engines

NoteStatusWhat’s in it
Admission ControllersThe mutating/validating pipeline, built-in plugins, dynamic webhooks, side effects
GatekeeperRego policies, ConstraintTemplates, audit mode, multi-system policy
KyvernoYAML policies, validate/mutate/generate, image signature verification, CEL
SBOMsSPDX / CycloneDX formats, generation, signing, VEX, k8s cluster scanning, regulatory context

Audit and operations

NoteStatusWhat’s in it
Audit LoggingThe audit policy, log levels (Metadata / Request / RequestResponse), stages, backends
Cluster HardeningApiserver flags, etcd, kubelet, control plane lockdown
Node HardeningHost OS, container runtime, kernel parameters, kubelet config in depth

Compliance

NoteStatusWhat’s in it
Compliance FrameworksNIST 800-190, CIS Kubernetes Benchmark, OWASP k8s Top 10, SLSA, PCI-DSS/SOC2/HIPAA/FedRAMP

Overview

NoteStatusWhat’s in it
Security OverviewThe L07 hub: the five concerns, the defense-in-depth stack, the threat model, the checklist

Suggested reading order

Path 1: API access (the foundation)

  1. AuthN vs AuthZ — the conceptual split
  2. ServiceAccounts — the workload identity
  3. RBAC — the authorization model
  4. Certificates — the PKI
  5. mTLS — transport security
  6. SPIRE — workload identity for service mesh

Path 2: Workload hardening (what pods are allowed to do)

  1. SecurityContext — per-container knobs
  2. PSS — apply it cluster-wide
  3. AppArmor — kernel-level filters
  4. Image Hardening — what code can run
  5. SBOMs — what’s in the image, with signatures
  6. Admission Controllers — where policy is enforced
  7. Kyverno — k8s-native policies
  8. Gatekeeper — Rego-based policies

Path 3: Encryption and detection

  1. etcd Encryption — at-rest encryption
  2. Secret Encryption — secrets in flight
  3. Audit Logging — the forensic record
  4. Runtime Detection — Falco / Tetragon
  5. Runtime Sandboxing — gVisor / Kata

Path 4: Operations and compliance

  1. Cluster Hardening — control plane
  2. Node Hardening — per-node
  3. Compliance Frameworks — NIST / CIS / OWASP

The “defense in depth” stack

A production cluster has multiple layers of security, each addressing a different threat:

Threat                          Defense
──────────────────────────────────────────────────────────
Unauthorized kubectl            OIDC SSO, RBAC, audit logs
Compromised kubelet             PSS restricted, SecurityContext
Compromised Pod → host          PSS, NetworkPolicy, seccomp, AppArmor
Compromised Pod → DB            NetworkPolicy, mTLS, secrets encryption
Compromised Pod → other Pods    NetworkPolicy, mTLS
Compromised image               Image scanning, signed images, admission
Lateral movement                NetworkPolicy, microsegmentation
Data exfiltration               NetworkPolicy egress, audit logs
Privilege escalation            PSS baseline+, capabilities dropped

No single layer is sufficient. They complement each other.

AWS-specific notes

The EKS-specific versions of these (IRSA, Pod Identity, EKS access entries, GuardDuty) live in EKS Security — they’re concrete implementations of these primitives on AWS.

Where to go next

L08 — Operations: keep things running, debug them, scale them.

Graph View

Backlinks