Kubernetes Security Hardening

Secure Kubernetes platforms including Pod Security Standards, network policies, secrets management, admission control, and compliance.

Keywords

kubernetes, security, hardening, pod security, pss, psa, network policy, rbac, secrets, encryption, audit, compliance, cis benchmark, admission control, kyverno, opa, gatekeeper, implementing, configuring, conducting, ensuring

When to Use This Skill

• Implementing Pod Security Standards
• Hardening cluster security configuration
• Setting up network policies for zero-trust
• Configuring secrets management
• Implementing admission control policies
• Conducting security audits
• Ensuring CIS benchmark compliance

Related Skills

• k8s-platform-tenancy - Multi-tenant security
• k8s-security-redteam - Test your defenses
• k8s-platform-operations - Day-to-day security operations
• k8s-continual-improvement - Security posture metrics
• k8s-namespace-troubleshooting - Diagnose policy violations
• helm-chart-review - Chart security review
• Shared: Pod Security Context
• Shared: Network Policies
• Shared: RBAC Patterns

Quick Reference

Pod Security Standards

For detailed security context configuration, see Shared: Pod Security Context.

Namespace Enforcement

apiVersion: v1
kind: Namespace
metadata:
  name: secure-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Profile Summary

Admission Control

Kyverno Policy Example

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-nonroot
spec:
  validationFailureAction: Enforce
  rules:
  - name: run-as-non-root
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "Containers must run as non-root"
      pattern:
        spec:
          containers:
          - securityContext:
              runAsNonRoot: true

Image Verification

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-images
spec:
  validationFailureAction: Enforce
  rules:
  - name: verify-signature
    match:
      any:
      - resources:
          kinds:
          - Pod
    verifyImages:
    - imageReferences:
      - "registry.company.com/*"
      attestors:
      - entries:
        - keyless:
            rekor:
              url: https://rekor.sigstore.dev

OPA Gatekeeper Constraint

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-team-label
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Namespace"]
  parameters:
    labels:
    - key: "team"

Network Security

For detailed NetworkPolicy patterns, see Shared: Network Policies.

Zero-Trust Implementation

1. Apply default deny all
2. Allow DNS egress
3. Allow specific required traffic only
4. Audit with network policy logging

RBAC Security

For detailed RBAC patterns, see Shared: RBAC Patterns.

Audit Commands

# Find cluster-admin bindings
kubectl get clusterrolebindings -o json | \
  jq '.items[] | select(.roleRef.name=="cluster-admin") | .subjects'

# Find wildcard permissions
kubectl get roles,clusterroles -A -o json | \
  jq '.items[] | select(.rules[].verbs[] | contains("*")) | .metadata.name'

# Service account permissions
kubectl auth can-i --list --as=system:serviceaccount:${NS}:${SA}

Secrets Management

External Secrets

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    name: app-secrets
    creationPolicy: Owner
  data:
  - secretKey: password
    remoteRef:
      key: secret/data/app
      property: password

Encryption at Rest

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        # Generate with: head -c 32 /dev/urandom | base64
        secret: <generate-and-insert-base64-key>
  - identity: {}

Runtime Security

Falco Rules

- rule: Shell Spawned in Container
  desc: Detect shell spawned in container
  condition: >
    spawned_process and
    container and
    proc.name in (shell_binaries)
  output: >
    Shell spawned in container
    (user=%user.name container=%container.name shell=%proc.name)
  priority: WARNING
  tags: [container, shell]

Audit Policy

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets", "configmaps"]
- level: RequestResponse
  users: ["system:anonymous"]
  verbs: ["*"]
- level: RequestResponse
  resources:
  - group: "rbac.authorization.k8s.io"

Supply Chain Security

SLSA Requirements

Image Signing (Cosign)

# Sign image
cosign sign --key cosign.key registry.example.com/app:v1.0.0

# Verify image
cosign verify --key cosign.pub registry.example.com/app:v1.0.0

Security Scanning

Run kube-bench

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs -l app=kube-bench

Security Checklist

Cluster Level

• API server private network only
• etcd encrypted, access restricted
• Audit logging enabled
• PSS enforced cluster-wide
• Network policies default deny
• RBAC least privilege
• Secrets encrypted at rest

Workload Level

• Non-root containers
• Read-only root filesystem
• No privilege escalation
• Capabilities dropped
• Resource limits set
• Signed images only
• No hostPath mounts

Tenant Level

• Namespace isolation
• Network policies enforced
• Resource quotas applied
• RBAC scoped to namespace
• SA tokens disabled by default

Common Mistakes

MCP Tools

• mcp__flux-operator-mcp__get_kubernetes_resources - Query resources
• mcp__flux-operator-mcp__apply_kubernetes_manifest - Apply policies