5 Typical Kubernetes Security Scenarios

Maintain least privilege: Incorrect or excessively permissive RBAC policies are a security threat in case of a compromised pod.

For Kubernetes workloads (pods, deployments, jobs, sets, etc.), they may be trusted at deployment time, but if they’re internet-facing there’s always a risk of later exploitation.

The Linux kernel has a number of overlapping security extensions (capabilities, SELinux, AppArmor, seccomp-bpf) that can be configured to provide least privilege to applications.

TODO: diagram

  • Linux Security Features and PodSecurityPolicies; Network security
  • RABC

Kubernetes Security

Kubernetes Security

1.1 Facts & State

  • Hard to keep aligned with current security best practice
  • Security pratice may break our applications or slow down our developers
  • Missing features of k8s security

1.2 Scenario: Secure Underline Platform

1.3 Scenario: Secure K8S Workload

1.4 Scenario: Security Practice In SDLC

Software developing life cycles

Scan the package

  • Airgap deployment: avoid docker pull.
  • Use fixed version for everything. OSS/TP

1.5 Scenario: Secure Disater From Admin Human Errors

1.6 Scenario: Secure Data Breach From Neighbors

1.7 Look Ahead

1.7.1 DONE You can’t get network policy security with default CNI

1.7.2 DONE Volume security: my PVC can be mounted only by me. Security within one namespace

1.7.3 DONE RABC can only filter individual resources, but not with name pattern


Subdividing namespaces is not trivial. The current advice is to use different namespaces. Are you primarily concerned with dividing access between users or service accounts?

1.7.4 DONE hostPath mount: filter by path pattern

1.8 What Security Enhancement PKS Has been Made?

More Reading: Kubernetes YAML Templates, 11 Ways (Not) to Get Hacked

<a href=”https://github.com/dennyzhang/www.dennyzhang.com/tree/master/kubernetes/kubernetes-security“><img align=”right” width=”200″ height=”183″ src=”github.png” /></a>

<div id=”the whole thing” style=”overflow: hidden;”>
<div style=”float: left; padding: 5px”> <a href=”https://www.linkedin.com/in/dennyzhang001“><img src=”linkedin.png” alt=”linkedin” /></a></div>
<div style=”float: left; padding: 5px”><a href=”https://github.com/dennyzhang“><img src=”github.png” alt=”github” /></a></div>
<div style=”float: left; padding: 5px”><a href=”https://www.dennyzhang.com/slack” target=”blank” rel=”nofollow”><img src=”badge.svg” alt=”slack”/></a></div>

<a href=”http://makeapullrequest.com” target=”blank” rel=”nofollow”><img src=”PRs-welcome-brightgreen.svg” alt=”PRs Welcome”/></a>

Blog URL: https://www.dennyzhang.com/kubernetes-security