K8s Security Policies

1---2name: k8s-security-policies3description: Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.4---5 6# Kubernetes Security Policies7 8Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.9 10## Purpose11 12Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.13 14## When to Use This Skill15 16- Implement network segmentation17- Configure pod security standards18- Set up RBAC for least-privilege access19- Create security policies for compliance20- Implement admission control21- Secure multi-tenant clusters22 23## Pod Security Standards24 25### 1. Privileged (Unrestricted)26 27```yaml28apiVersion: v129kind: Namespace30metadata:31  name: privileged-ns32  labels:33    pod-security.kubernetes.io/enforce: privileged34    pod-security.kubernetes.io/audit: privileged35    pod-security.kubernetes.io/warn: privileged36```37 38### 2. Baseline (Minimally restrictive)39 40```yaml41apiVersion: v142kind: Namespace43metadata:44  name: baseline-ns45  labels:46    pod-security.kubernetes.io/enforce: baseline47    pod-security.kubernetes.io/audit: baseline48    pod-security.kubernetes.io/warn: baseline49```50 51### 3. Restricted (Most restrictive)52 53```yaml54apiVersion: v155kind: Namespace56metadata:57  name: restricted-ns58  labels:59    pod-security.kubernetes.io/enforce: restricted60    pod-security.kubernetes.io/audit: restricted61    pod-security.kubernetes.io/warn: restricted62```63 64## Network Policies65 66### Default Deny All67 68```yaml69apiVersion: networking.k8s.io/v170kind: NetworkPolicy71metadata:72  name: default-deny-all73  namespace: production74spec:75  podSelector: {}76  policyTypes:77    - Ingress78    - Egress79```80 81### Allow Frontend to Backend82 83```yaml84apiVersion: networking.k8s.io/v185kind: NetworkPolicy86metadata:87  name: allow-frontend-to-backend88  namespace: production89spec:90  podSelector:91    matchLabels:92      app: backend93  policyTypes:94    - Ingress95  ingress:96    - from:97        - podSelector:98            matchLabels:99              app: frontend100      ports:101        - protocol: TCP102          port: 8080103```104 105### Allow DNS106 107```yaml108apiVersion: networking.k8s.io/v1109kind: NetworkPolicy110metadata:111  name: allow-dns112  namespace: production113spec:114  podSelector: {}115  policyTypes:116    - Egress117  egress:118    - to:119        - namespaceSelector:120            matchLabels:121              name: kube-system122      ports:123        - protocol: UDP124          port: 53125```126 127**Reference:** See `assets/network-policy-template.yaml`128 129## RBAC Configuration130 131### Role (Namespace-scoped)132 133```yaml134apiVersion: rbac.authorization.k8s.io/v1135kind: Role136metadata:137  name: pod-reader138  namespace: production139rules:140  - apiGroups: [""]141    resources: ["pods"]142    verbs: ["get", "watch", "list"]143```144 145### ClusterRole (Cluster-wide)146 147```yaml148apiVersion: rbac.authorization.k8s.io/v1149kind: ClusterRole150metadata:151  name: secret-reader152rules:153  - apiGroups: [""]154    resources: ["secrets"]155    verbs: ["get", "watch", "list"]156```157 158### RoleBinding159 160```yaml161apiVersion: rbac.authorization.k8s.io/v1162kind: RoleBinding163metadata:164  name: read-pods165  namespace: production166subjects:167  - kind: User168    name: jane169    apiGroup: rbac.authorization.k8s.io170  - kind: ServiceAccount171    name: default172    namespace: production173roleRef:174  kind: Role175  name: pod-reader176  apiGroup: rbac.authorization.k8s.io177```178 179**Reference:** See `references/rbac-patterns.md`180 181## Pod Security Context182 183### Restricted Pod184 185```yaml186apiVersion: v1187kind: Pod188metadata:189  name: secure-pod190spec:191  securityContext:192    runAsNonRoot: true193    runAsUser: 1000194    fsGroup: 1000195    seccompProfile:196      type: RuntimeDefault197  containers:198    - name: app199      image: myapp:1.0200      securityContext:201        allowPrivilegeEscalation: false202        readOnlyRootFilesystem: true203        capabilities:204          drop:205            - ALL206```207 208## Policy Enforcement with OPA Gatekeeper209 210### ConstraintTemplate211 212```yaml213apiVersion: templates.gatekeeper.sh/v1214kind: ConstraintTemplate215metadata:216  name: k8srequiredlabels217spec:218  crd:219    spec:220      names:221        kind: K8sRequiredLabels222      validation:223        openAPIV3Schema:224          type: object225          properties:226            labels:227              type: array228              items:229                type: string230  targets:231    - target: admission.k8s.gatekeeper.sh232      rego: |233        package k8srequiredlabels234        violation[{"msg": msg, "details": {"missing_labels": missing}}] {235          provided := {label | input.review.object.metadata.labels[label]}236          required := {label | label := input.parameters.labels[_]}237          missing := required - provided238          count(missing) > 0239          msg := sprintf("missing required labels: %v", [missing])240        }241```242 243### Constraint244 245```yaml246apiVersion: constraints.gatekeeper.sh/v1beta1247kind: K8sRequiredLabels248metadata:249  name: require-app-label250spec:251  match:252    kinds:253      - apiGroups: ["apps"]254        kinds: ["Deployment"]255  parameters:256    labels: ["app", "environment"]257```258 259## Service Mesh Security (Istio)260 261### PeerAuthentication (mTLS)262 263```yaml264apiVersion: security.istio.io/v1beta1265kind: PeerAuthentication266metadata:267  name: default268  namespace: production269spec:270  mtls:271    mode: STRICT272```273 274### AuthorizationPolicy275 276```yaml277apiVersion: security.istio.io/v1beta1278kind: AuthorizationPolicy279metadata:280  name: allow-frontend281  namespace: production282spec:283  selector:284    matchLabels:285      app: backend286  action: ALLOW287  rules:288    - from:289        - source:290            principals: ["cluster.local/ns/production/sa/frontend"]291```292 293## Best Practices294 2951. **Implement Pod Security Standards** at namespace level2962. **Use Network Policies** for network segmentation2973. **Apply least-privilege RBAC** for all service accounts2984. **Enable admission control** (OPA Gatekeeper/Kyverno)2995. **Run containers as non-root**3006. **Use read-only root filesystem**3017. **Drop all capabilities** unless needed3028. **Implement resource quotas** and limit ranges3039. **Enable audit logging** for security events30410. **Regular security scanning** of images305 306## Compliance Frameworks307 308### CIS Kubernetes Benchmark309 310- Use RBAC authorization311- Enable audit logging312- Use Pod Security Standards313- Configure network policies314- Implement secrets encryption at rest315- Enable node authentication316 317### NIST Cybersecurity Framework318 319- Implement defense in depth320- Use network segmentation321- Configure security monitoring322- Implement access controls323- Enable logging and monitoring324 325## Troubleshooting326 327**NetworkPolicy not working:**328 329```bash330# Check if CNI supports NetworkPolicy331kubectl get nodes -o wide332kubectl describe networkpolicy <name>333```334 335**RBAC permission denied:**336 337```bash338# Check effective permissions339kubectl auth can-i list pods --as system:serviceaccount:default:my-sa340kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa341```342 343 344## Related Skills345 346- `k8s-manifest-generator` - For creating secure manifests347- `gitops-workflow` - For automated policy deployment