# role-developer-staging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: namespace: staging name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "list", "watch"]
# role-developer-staging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: namespace: staging name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "list", "watch"]
# role-developer-staging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: namespace: staging name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "list", "watch"]
# rolebinding-developer-staging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata: name: developer-read-pods namespace: staging
subjects:
- kind: Group name: developers # Name of the group in your authentication system apiGroup: rbac.authorization.k8s.io
roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
# rolebinding-developer-staging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata: name: developer-read-pods namespace: staging
subjects:
- kind: Group name: developers # Name of the group in your authentication system apiGroup: rbac.authorization.k8s.io
roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
# rolebinding-developer-staging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata: name: developer-read-pods namespace: staging
subjects:
- kind: Group name: developers # Name of the group in your authentication system apiGroup: rbac.authorization.k8s.io
roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
apiVersion: v1
kind: Pod
metadata: name: my-secure-app
spec: containers: - name: app-container image: my-app-image securityContext: runAsUser: 1000 # Run as user ID 1000 allowPrivilegeEscalation: false capabilities: drop: - ALL # Drop all capabilities by default - SETFCAP # Explicitly list capabilities you might need, e.g., for file system operations
apiVersion: v1
kind: Pod
metadata: name: my-secure-app
spec: containers: - name: app-container image: my-app-image securityContext: runAsUser: 1000 # Run as user ID 1000 allowPrivilegeEscalation: false capabilities: drop: - ALL # Drop all capabilities by default - SETFCAP # Explicitly list capabilities you might need, e.g., for file system operations
apiVersion: v1
kind: Pod
metadata: name: my-secure-app
spec: containers: - name: app-container image: my-app-image securityContext: runAsUser: 1000 # Run as user ID 1000 allowPrivilegeEscalation: false capabilities: drop: - ALL # Drop all capabilities by default - SETFCAP # Explicitly list capabilities you might need, e.g., for file system operations
# allow-frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: name: frontend-allow-backend namespace: frontend
spec: podSelector: {} # Apply to all pods in the frontend namespace policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 8080
# allow-frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: name: frontend-allow-backend namespace: frontend
spec: podSelector: {} # Apply to all pods in the frontend namespace policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 8080
# allow-frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: name: frontend-allow-backend namespace: frontend
spec: podSelector: {} # Apply to all pods in the frontend namespace policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 8080 - Control Plane Components: These are the brain of your Kubernetes cluster. Compromising them grants significant control. This includes the API Server, etcd, Controller Manager, and Scheduler.
- Worker Nodes: These are the machines where your application containers actually run. Exploiting vulnerabilities here can lead to container breakouts, data exfiltration, or denial of -weight: 500;">service.
- Container Images: Insecure container images are a primary vector for introducing malicious code into your cluster.
- Network: Inter-container communication and external access points can be exploited if not properly secured.
- Data: Sensitive data stored within persistent volumes or in etcd requires strong protection.
- Human Access: Insufficiently restricted access for users and administrators can lead to accidental misconfigurations or malicious actions. - Roles: A Role defines a set of permissions within a specific namespace.
- ClusterRoles: A ClusterRole defines permissions that apply cluster-wide.
- RoleBindings: A RoleBinding grants the permissions defined in a Role to a user, group, or -weight: 500;">service account within a specific namespace.
- ClusterRoleBindings: A ClusterRoleBinding grants the permissions defined in a ClusterRole to a user, group, or -weight: 500;">service account cluster-wide. - Authentication: Ensure only legitimate users and services can connect. Kubernetes supports various authentication methods, including X.509 certificates, tokens (-weight: 500;">service account tokens, bearer tokens), and integration with external identity providers (e.g., OIDC).
- Authorization: Once authenticated, RBAC (as discussed above) determines what actions the user or -weight: 500;">service account is allowed to perform.
- Admission Controllers: These intercept requests to the API Server after authentication and authorization but before objects are persisted. They can enforce policies, mutate objects, or deny requests based on custom logic. Examples include: PodSecurity: Enforces security standards for pods. LimitRanger: Enforces resource limits for pods. ResourceQuota: Limits the total amount of resources that can be consumed within a namespace. NetworkPolicy: Enforces network segmentation.
- PodSecurity: Enforces security standards for pods.
- LimitRanger: Enforces resource limits for pods.
- ResourceQuota: Limits the total amount of resources that can be consumed within a namespace.
- NetworkPolicy: Enforces network segmentation. - PodSecurity: Enforces security standards for pods.
- LimitRanger: Enforces resource limits for pods.
- ResourceQuota: Limits the total amount of resources that can be consumed within a namespace.
- NetworkPolicy: Enforces network segmentation. - Secure Communication: Ensure all communication with etcd is encrypted using TLS.
- Access Control: Restrict access to etcd to only the API Server. No other services or users should have direct access.
- Backup and Encryption: Regularly back up etcd and encrypt the backups. Consider enabling encryption at rest for etcd data. - Run as Non-Root: Containers should ideally run as a non-root user. This significantly reduces the impact of a container breakout.
- Drop Unnecessary Capabilities: Linux capabilities grant special privileges to processes. Drop any capabilities that your application doesn't explicitly need. - Seccomp Profiles: Restrict the system calls that a container can make.
- AppArmor/SELinux: Utilize these Linux security modules to enforce fine-grained access controls on processes. - Encryption at Rest: Enable encryption at rest for secrets stored in etcd.
- Kubernetes Secrets are Not Encryption: Remember that Kubernetes Secrets are only base64 encoded by default. They are not encrypted within etcd unless configured to be.
- External Secret Management: For enhanced security, consider integrating with external secret management solutions like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.
