freundcloud

Pod Security

Pod Security Standards

Kubernetes Pod Security Standards define three policies:

  • Privileged: Unrestricted policy
  • Baseline: Minimally restrictive policy
  • Restricted: Highly restrictive policy for security-critical applications

Pod Security Admission Controller

apiVersion: v1
kind: Namespace
metadata:
  name: secure-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/audit: restricted

Modern Security Context Examples

  1. Restricted Policy Compliant Pod:
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: my-secure-app:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      runAsUser: 1000
      runAsGroup: 3000
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault
  1. RuntimeClass Integration:
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc

---
apiVersion: v1
kind: Pod
metadata:
  name: gvisor-pod
spec:
  runtimeClassName: gvisor
  containers:
  - name: app
    image: my-app:latest

OPA/Gatekeeper Policy Examples

  1. Require Non-Root Users:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNonRootUser
metadata:
  name: require-non-root
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  1. Enforce Security Context:
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: securitycontext
spec:
  crd:
    spec:
      names:
        kind: SecurityContext
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package securitycontext
        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not container.securityContext.readOnlyRootFilesystem
          msg := "Root filesystem must be read-only"
        }

Network Policy Examples

Modern zero-trust network policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-specific-traffic
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          purpose: frontend
    ports:
    - protocol: TCP
      port: 8080

Best Practices for 2024+

  1. Pod Security Standards Adoption
    • Enable Pod Security Admission controller
    • Use “restricted” policy by default
    • Implement exceptions only when necessary
  2. Runtime Security
    • Use gVisor or kata-containers for isolation
    • Enable SeccompProfile
    • Implement Falco for runtime monitoring
  3. Supply Chain Security
    • Sign container images
    • Use cosign for verification
    • Implement admission controllers
  4. Zero Trust Implementation
    • Default deny network policies
    • Explicit allow rules only
    • Regular audit logging
  5. Resource Constraints
    • Set CPU/Memory limits
    • Configure OOM score
    • Use resource quotas