Kubernetes Security
Security for Kubernetes clusters — from RBAC and network policies to secrets management and vulnerability scanning.
Sections
- RBAC — Role-based access control, ClusterRoles, ServiceAccounts
- Network Policies — K8s network segmentation, zero-trust networking
- Pod Security — Pod Security Standards, security contexts, PSP migration
- Secrets Management — Sealed Secrets, Vault, AWS SM, ESO
- Vulnerability Scanning — Trivy, Grype, Snyk, admission control
Core Principles
- Least privilege — RBAC with minimal permissions
- Defense in depth — Network policies + pod security + secrets encryption
- Immutable workloads — No privileged containers, read-only root filesystems
- Scan everything — Container images, Helm charts, K8s YAML
- Log everything — Audit logs, API server logs, node logs
Key Security Controls
| Layer | Control | Tool/Feature |
|---|---|---|
| API Server | RBAC | Role, ClusterRole, RoleBinding |
| Network | Segmentation | NetworkPolicy |
| Pod | Runtime security | PodSecurityStandards, SecurityContext |
| Data | Secrets encryption | Sealed Secrets, Vault |
| Images | Vulnerability scanning | Trivy, Grype |
| Admission | Policy enforcement | OPA Gatekeeper, Kyverno |
Your EKS Environment
For your EKS clusters:
# Pod security context example
securityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]
---
# Network policy - default deny
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressExisting Vault Content
Your vault already has extensive K8s security content:
Kubernetes/eks/security/— EKS-specific securityKubernetes/concepts/security.md— K8s security conceptsKubernetes/guides/README.md— Image security
Related
- Falco — Runtime security for K8s
- DevSecOps — Shift-left security in CI/CD
- Wazuh K8s Integration