Open Skills Logo
Open Skills

k8s-security-policies

Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

View Source
name:k8s-security-policiesdescription:Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

Kubernetes Security Policies

Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.

Do not use this skill when

  • The task is unrelated to kubernetes security policies

  • You need a different domain or tool outside this scope

    • Instructions

  • Clarify goals, constraints, and required inputs.

  • Apply relevant best practices and validate outcomes.

  • Provide actionable steps and verification.

  • If detailed examples are required, open resources/implementation-playbook.md.

    • Purpose

    Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.

    Use this skill when

  • Implement network segmentation

  • Configure pod security standards

  • Set up RBAC for least-privilege access

  • Create security policies for compliance

  • Implement admission control

  • Secure multi-tenant clusters

    • Pod Security Standards

    1. Privileged (Unrestricted)


    apiVersion: v1
    kind: Namespace
    metadata:
      name: privileged-ns
      labels:
        pod-security.kubernetes.io/enforce: privileged
        pod-security.kubernetes.io/audit: privileged
        pod-security.kubernetes.io/warn: privileged

    2. Baseline (Minimally restrictive)


    apiVersion: v1
    kind: Namespace
    metadata:
      name: baseline-ns
      labels:
        pod-security.kubernetes.io/enforce: baseline
        pod-security.kubernetes.io/audit: baseline
        pod-security.kubernetes.io/warn: baseline

    3. Restricted (Most restrictive)


    apiVersion: v1
    kind: Namespace
    metadata:
      name: restricted-ns
      labels:
        pod-security.kubernetes.io/enforce: restricted
        pod-security.kubernetes.io/audit: restricted
        pod-security.kubernetes.io/warn: restricted

    Network Policies

    Default Deny All


    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: default-deny-all
      namespace: production
    spec:
      podSelector: {}
      policyTypes:
      - Ingress
      - Egress

    Allow Frontend to Backend


    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-frontend-to-backend
      namespace: production
    spec:
      podSelector:
        matchLabels:
          app: backend
      policyTypes:
      - Ingress
      ingress:
      - from:
        - podSelector:
            matchLabels:
              app: frontend
        ports:
        - protocol: TCP
          port: 8080

    Allow DNS


    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-dns
      namespace: production
    spec:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
        ports:
        - protocol: UDP
          port: 53

    Reference: See assets/network-policy-template.yaml

    RBAC Configuration

    Role (Namespace-scoped)


    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: pod-reader
      namespace: production
    rules:
  • apiGroups: [""]

    •   resources: ["pods"]
      verbs: ["get", "watch", "list"]

    ClusterRole (Cluster-wide)


    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: secret-reader
    rules:
  • apiGroups: [""]

    •   resources: ["secrets"]
      verbs: ["get", "watch", "list"]

    RoleBinding


    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: read-pods
      namespace: production
    subjects:
  • kind: User

    •   name: jane
      apiGroup: rbac.authorization.k8s.io
  • kind: ServiceAccount

    •   name: default
      namespace: production
    roleRef:
      kind: Role
      name: pod-reader
      apiGroup: rbac.authorization.k8s.io

    Reference: See references/rbac-patterns.md

    Pod Security Context

    Restricted Pod


    apiVersion: v1
    kind: Pod
    metadata:
      name: secure-pod
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: app
        image: myapp:1.0
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - ALL

    Policy Enforcement with OPA Gatekeeper

    ConstraintTemplate


    apiVersion: templates.gatekeeper.sh/v1
    kind: ConstraintTemplate
    metadata:
      name: k8srequiredlabels
    spec:
      crd:
        spec:
          names:
            kind: K8sRequiredLabels
          validation:
            openAPIV3Schema:
              type: object
              properties:
                labels:
                  type: array
                  items:
                    type: string
      targets:
        - target: admission.k8s.gatekeeper.sh
          rego: |
            package k8srequiredlabels
            violation[{"msg": msg, "details": {"missing_labels": missing}}] {
    <div class="overflow-x-auto my-6"><table class="min-w-full divide-y divide-border border border-border"><thead><tr><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">provided := {label</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">input.review.object.metadata.labels[label]}</th></tr></thead><tbody class="divide-y divide-border"></tbody></table></div>
              missing := required - provided
              count(missing) > 0
              msg := sprintf("missing required labels: %v", [missing])
            }

    Constraint


    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: K8sRequiredLabels
    metadata:
      name: require-app-label
    spec:
      match:
        kinds:
          - apiGroups: ["apps"]
            kinds: ["Deployment"]
      parameters:
        labels: ["app", "environment"]

    Service Mesh Security (Istio)

    PeerAuthentication (mTLS)


    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: default
      namespace: production
    spec:
      mtls:
        mode: STRICT

    AuthorizationPolicy


    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: allow-frontend
      namespace: production
    spec:
      selector:
        matchLabels:
          app: backend
      action: ALLOW
      rules:
      - from:
        - source:
            principals: ["cluster.local/ns/production/sa/frontend"]

    Best Practices

  • Implement Pod Security Standards at namespace level

  • Use Network Policies for network segmentation

  • Apply least-privilege RBAC for all service accounts

  • Enable admission control (OPA Gatekeeper/Kyverno)

  • Run containers as non-root

  • Use read-only root filesystem

  • Drop all capabilities unless needed

  • Implement resource quotas and limit ranges

  • Enable audit logging for security events

  • Regular security scanning of images

    • Compliance Frameworks

    CIS Kubernetes Benchmark


  • Use RBAC authorization

  • Enable audit logging

  • Use Pod Security Standards

  • Configure network policies

  • Implement secrets encryption at rest

  • Enable node authentication

    • NIST Cybersecurity Framework


  • Implement defense in depth

  • Use network segmentation

  • Configure security monitoring

  • Implement access controls

  • Enable logging and monitoring

    • Troubleshooting

    NetworkPolicy not working:

    # Check if CNI supports NetworkPolicy
    kubectl get nodes -o wide
    kubectl describe networkpolicy <name>

    RBAC permission denied:

    # Check effective permissions
    kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
    kubectl auth can-i '' '' --as system:serviceaccount:default:my-sa

    Reference Files

  • assets/network-policy-template.yaml - Network policy examples

  • assets/pod-security-template.yaml - Pod security policies

  • references/rbac-patterns.md - RBAC configuration patterns

    • Related Skills

  • k8s-manifest-generator - For creating secure manifests

  • gitops-workflow - For automated policy deployment