Security Overview
Security in Kubernetes is multi-layered, covering authentication, authorization, network security, workload security, and more. Understanding Kubernetes security is essential because clusters often run sensitive workloads and need protection against various threats. Security is not optional—it’s a fundamental requirement for production deployments.
Think of Kubernetes security like a building’s security system. You need locks on doors (authentication), access cards for different areas (authorization), security cameras (audit logging), firewalls (network policies), and safety regulations (pod security). Each layer provides protection, and together they create a comprehensive security posture.
Security Model
Kubernetes security follows a defense-in-depth model with multiple layers:
Each layer provides protection, and a failure in one layer doesn’t compromise the entire system.
Authentication vs Authorization
Understanding the difference is fundamental:
Authentication (AuthN)
Who are you? - Verifies identity
- Client certificates - X.509 certificates
- Bearer tokens - JWT tokens (ServiceAccounts)
- Basic auth - Username/password (deprecated)
Authentication answers: “Is this really who they claim to be?”
Authorization (AuthZ)
What can you do? - Verifies permissions
- RBAC - Role-Based Access Control
- ABAC - Attribute-Based Access Control (deprecated)
- Node authorization - Node-specific permissions
- Webhook authorization - Custom authorization logic
Authorization answers: “Are they allowed to do this?”
RBAC: Role-Based Access Control
RBAC is the primary authorization mechanism in Kubernetes. It controls who can do what:
Roles and ClusterRoles
Roles - Namespace-scoped permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
ClusterRoles - Cluster-scoped permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
RoleBindings and ClusterRoleBindings
RoleBindings - Bind roles to subjects in a namespace:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ClusterRoleBindings - Bind cluster roles cluster-wide:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-binding
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Least Privilege
Follow the principle of least privilege:
- Grant minimum permissions needed
- Use namespaced roles when possible
- Avoid cluster-admin unless necessary
- Regularly review and audit permissions
ServiceAccounts
ServiceAccounts provide identity for pods:
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-serviceaccount
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: my-serviceaccount
containers:
- name: app
image: my-app:1.0
ServiceAccounts:
- Provide identity for pods
- Enable RBAC for applications
- Mount tokens for API access
- Can be bound to roles
Pod Security
Pods run with security contexts that control:
SecurityContext
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
readOnlyRootFilesystem: true
Pod Security Standards
Pod Security Standards provide baseline, restricted, and privileged policies:
apiVersion: v1
kind: Namespace
metadata:
name: my-namespace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
Network Security
Network Policies control pod-to-pod communication:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Network Policies:
- Control ingress and egress traffic
- Use label selectors
- Define allowed connections
- Provide network isolation
Secrets Management
Secrets store sensitive data:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
password: cGFzc3dvcmQ= # base64 encoded
Important:
- Secrets are base64 encoded (not encrypted)
- Enable encryption at rest for production
- Use external secret stores for sensitive data
- Rotate secrets regularly
Admission Control
Admission controllers validate and mutate resources:
Validating Admission Webhooks
Validate resources before they’re stored:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: my-validator
webhooks:
- name: validate.example.com
rules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
Mutating Admission Webhooks
Modify resources before they’re stored:
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: my-mutator
webhooks:
- name: mutate.example.com
rules:
- apiGroups: [""]
apiVersions: ["v1"]
operations: ["CREATE"]
resources: ["pods"]
Runtime Security
Runtime security monitors and protects running workloads:
- Falco - Runtime threat detection
- KubeArmor - System call filtering
- eBPF-based security - Kernel-level monitoring
These tools detect:
- Unauthorized access attempts
- Suspicious behavior
- Policy violations
- Security threats
Policy Enforcement
Policy engines enforce security policies:
- OPA/Gatekeeper - Open Policy Agent for Kubernetes
- Kyverno - Kubernetes-native policy engine
- Pod Security Standards - Built-in pod security policies
These tools:
- Enforce policies automatically
- Prevent policy violations
- Provide policy as code
- Integrate with CI/CD
Supply Chain Security
Protect the software supply chain:
- Container scanning - Scan images for vulnerabilities
- Image signing - Sign images with Sigstore/Cosign
- SBOM - Software Bill of Materials
- Vulnerability management - Track and remediate vulnerabilities
Audit and Compliance
Kubernetes provides audit logging:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["pods"]
Audit logs record:
- Who did what
- When it happened
- What was changed
- Success or failure
Use for:
- Compliance requirements
- Security investigations
- Access auditing
- Change tracking
Security Best Practices
Authentication and Authorization
- Use RBAC with least privilege
- Use ServiceAccounts for pods
- Rotate certificates regularly
- Disable basic auth
Pod Security
- Run containers as non-root
- Drop all capabilities, add only needed
- Use read-only root filesystems when possible
- Apply Pod Security Standards
Network Security
- Use Network Policies for isolation
- Encrypt traffic (TLS/mTLS)
- Limit network exposure
- Use service meshes for advanced security
Secrets Management
- Enable encryption at rest
- Use external secret stores
- Rotate secrets regularly
- Limit secret access
General
- Keep Kubernetes updated
- Scan container images
- Enable audit logging
- Use policy engines
- Regular security reviews
Key Takeaways
- Kubernetes security is multi-layered (defense in depth)
- Authentication verifies identity, authorization verifies permissions
- RBAC is the primary authorization mechanism
- Pod security contexts control container security
- Network Policies provide network isolation
- Secrets need encryption at rest
- Admission control validates and mutates resources
- Audit logging provides compliance and investigation capabilities
- Follow security best practices for production
See Also
- RBAC - Detailed RBAC information
- AuthN & AuthZ - Authentication and authorization
- Network Policies - Network security
- Secrets Management - Managing secrets
- Admission Control - Admission webhooks
- Pod Security Standards - Pod security policies