Pod Security
Pod Security Standards
Kubernetes Pod Security Standards define three policies:
Privileged: Unrestricted policy
Baseline: Minimally restrictive policy
Restricted: Highly restrictive policy for security-critical applications
Pod Security Admission Controller
apiVersion: v1
kind: Namespace
metadata:
name: secure-namespace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/audit: restricted
Modern Security Context Examples
Restricted Policy Compliant Pod:
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: my-secure-app:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsUser: 1000
runAsGroup: 3000
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
RuntimeClass Integration:
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc
---
apiVersion: v1
kind: Pod
metadata:
name: gvisor-pod
spec:
runtimeClassName: gvisor
containers:
- name: app
image: my-app:latest
OPA/Gatekeeper Policy Examples
Require Non-Root Users:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNonRootUser
metadata:
name: require-non-root
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
Enforce Security Context:
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: securitycontext
spec:
crd:
spec:
names:
kind: SecurityContext
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package securitycontext
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container.securityContext.readOnlyRootFilesystem
msg := "Root filesystem must be read-only"
}
Network Policy Examples
Modern zero-trust network policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-specific-traffic
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: frontend
ports:
- protocol: TCP
port: 8080
Best Practices for 2024+
Pod Security Standards Adoption
Enable Pod Security Admission controller
Use "restricted" policy by default
Implement exceptions only when necessary
Runtime Security
Use gVisor or kata-containers for isolation
Enable SeccompProfile
Implement Falco for runtime monitoring
Supply Chain Security
Sign container images
Use cosign for verification
Implement admission controllers
Zero Trust Implementation
Default deny network policies
Explicit allow rules only
Regular audit logging
Resource Constraints
Set CPU/Memory limits
Configure OOM score
Use resource quotas
Last updated