Chapter Six

Security

Securing a cluster from the API inward — authentication and RBAC, service accounts, Pod Security Standards, secrets and encryption at rest, admission policy, and supply-chain trust.

7 topics

Security in Kubernetes is layered, and the layers fail independently. A locked-down RBAC policy means little if any Pod can mount the host filesystem or pull an unsigned image.

The chapter works from the API inward: how a request authenticates and what RBAC then allows, the service-account identity workloads use, the Pod Security Standards that constrain what a Pod may do, encryption of secrets at rest, the admission webhooks and policy engines that enforce rules at create time, and the supply-chain controls that decide which images you trust.

Topics in This Chapter

Authentication and Authorization

How the API server decides who you are and what you may do — the authN modules, then the authZ chain that ends in RBAC.

Roles and bindings that grant verbs on resources. Least privilege in practice, and the wildcard grants that quietly undo it.

AuthorizationPolicy

Service Accounts

The identity a Pod uses to call the API and, via federation, cloud services. Token projection and the end of long-lived secrets.

IdentityWorkload

Pod Security Standards

The Privileged/Baseline/Restricted profiles that replaced PodSecurityPolicy, and how the built-in admission controller enforces them.

HardeningPolicy

Secrets Management

Why Secrets are not secret by default, encryption at rest with a KMS, and external secret stores that keep credentials out of etcd.

SecretsEncryption

Admission Control and Policy

Validating and mutating webhooks, and the policy engines — OPA/Gatekeeper, Kyverno — that enforce org rules before an object is stored.

PolicyAdmission

Supply-Chain Security

Trusting what you run: image signing, provenance, SBOMs, and scanning. Closing the gap between the registry and the cluster.