Kubernetes Security

RBAC controls who can do what inside a Kubernetes cluster. It is the primary authorization mechanism in every production cluster, and getting it wrong either locks out your CI/CD pipeline or silently grants cluster-admin to a service account that only needed read access. This guide covers the four RBAC objects, shows how to build least-privilege roles for workloads and pipelines, and walks through the debugging workflow for the inevitable Forbidden error.

Kyverno is a policy engine built for Kubernetes. Policies are written as standard Kubernetes resources in YAML, not in a separate language, and Kyverno enforces them as an admission controller before resources reach your cluster. It validates, mutates, generates resources, and verifies container image signatures. This article explains how Kyverno works, what you can do with it, and how it compares to OPA/Gatekeeper.

Kubernetes Secrets are base64-encoded, not encrypted. For GitOps workflows, that means plain secret values end up in Git or in etcd without protection unless you add a dedicated tool. Sealed Secrets, External Secrets Operator, and HashiCorp Vault each solve this problem differently. This comparison breaks down the architecture, GitOps fit, multi-cluster behavior, and operational cost of each option so you can pick the right one for your team.

PodSecurityPolicy was removed in Kubernetes 1.25. Its replacement, Pod Security Admission (PSA) with Pod Security Standards (PSS), is built in and enabled by default on every cluster, but it does nothing unless you label your namespaces. This guide walks through the three profiles, the three enforcement modes, the migration path from PSP, and the cluster-level configuration that prevents new namespaces from running unprotected.

Static cloud credentials in Kubernetes Secrets are a breach waiting to happen. Every major cloud provider offers a workload identity mechanism that lets pods authenticate to cloud services using short-lived, automatically rotated tokens instead. This guide covers the setup for EKS (IRSA and Pod Identity), GKE (Workload Identity Federation), and AKS (Microsoft Entra Workload ID), with a comparison table and decision guide at the end.

Every API request to a Kubernetes cluster passes through admission controllers after authentication and RBAC authorization. Policy engines like Kyverno and OPA Gatekeeper hook into this pipeline to validate, mutate, and generate resources. Kubernetes 1.30 added a built-in alternative, ValidatingAdmissionPolicy (CEL), that handles simple validation without any running services. This article compares all three so you can pick the right one for your cluster.

Container images carry vulnerabilities in OS packages, language dependencies, and embedded secrets. Scanning at build time catches problems early, but new CVEs appear daily against images already running in production. This guide sets up Trivy for CI pipeline gating, continuous in-cluster monitoring with the Trivy Operator, image signing with Cosign, and admission enforcement with Kyverno.

etcd holds every object in your Kubernetes cluster: Deployments, Secrets, RBAC rules, CRDs. Losing it means losing the cluster. This guide covers snapshot creation with etcdctl, automated backups via a CronJob, single-node restore, multi-node HA restore, and the revision-bump flags that prevent controller cache corruption after recovery.