Pod Security

Pod Security Standards

Kubernetes Pod Security Standards define three policies:

  • Privileged: Unrestricted policy

  • Baseline: Minimally restrictive policy

  • Restricted: Highly restrictive policy for security-critical applications

Pod Security Admission Controller

apiVersion: v1
kind: Namespace
metadata:
  name: secure-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/audit: restricted

Modern Security Context Examples

  1. Restricted Policy Compliant Pod:

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: my-secure-app:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      runAsUser: 1000
      runAsGroup: 3000
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault
  1. RuntimeClass Integration:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc

---
apiVersion: v1
kind: Pod
metadata:
  name: gvisor-pod
spec:
  runtimeClassName: gvisor
  containers:
  - name: app
    image: my-app:latest

OPA/Gatekeeper Policy Examples

  1. Require Non-Root Users:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNonRootUser
metadata:
  name: require-non-root
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  1. Enforce Security Context:

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: securitycontext
spec:
  crd:
    spec:
      names:
        kind: SecurityContext
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package securitycontext
        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not container.securityContext.readOnlyRootFilesystem
          msg := "Root filesystem must be read-only"
        }

Network Policy Examples

Modern zero-trust network policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-specific-traffic
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          purpose: frontend
    ports:
    - protocol: TCP
      port: 8080

Best Practices for 2024+

  1. Pod Security Standards Adoption

    • Enable Pod Security Admission controller

    • Use "restricted" policy by default

    • Implement exceptions only when necessary

  2. Runtime Security

    • Use gVisor or kata-containers for isolation

    • Enable SeccompProfile

    • Implement Falco for runtime monitoring

  3. Supply Chain Security

    • Sign container images

    • Use cosign for verification

    • Implement admission controllers

  4. Zero Trust Implementation

    • Default deny network policies

    • Explicit allow rules only

    • Regular audit logging

  5. Resource Constraints

    • Set CPU/Memory limits

    • Configure OOM score

    • Use resource quotas

Last updated