Files
awesome-kubernetes/v2-docs/kubernetes-security.md
Nubenetes Bot 19b7b44e20 feat(v2): restore in-page search/tag filter & drop redundant Markdown TOC
Fix: the per-page resource search box with maturity tag-pills stopped
appearing after navigation.instant was enabled (DOMContentLoaded fires only
on first SPA load). Reworked v2_filter.js to init via Material's document$
observable with a DOMContentLoaded fallback, guard double-injection, bind the
clickable-tag delegation once, and add a no-results state. Cache-bust ?v=2.9.12.

Change: removed the duplicated Markdown "## Table of Contents" from all 156 V2
content pages and from v2_optimizer.py — it forced hundreds of links of scroll
on large pages. Replaced by Material's native sticky "On this page" TOC
(removed toc.integrate, added toc.follow). tags.md keeps its TOC (it is an index).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 18:49:15 +02:00

32 KiB

Kubernetes Security

!!! tip "Nubenetes V2 Elite Portal" You are browsing the AI-Curated V2 Elite Edition. Looking for the exhaustive list of references? Check out the V1 Historical Archive.

!!! info "Architectural Context" Detailed reference for Kubernetes Security in the context of Hardened Infrastructure.

API Access Protection

Teleport Access Control

  • (2021) goteleport.com: Kubernetes API Access Security Hardening [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Assesses security postures for Kube-API exposure, outlining standard secure practices including zero-trust access, bastions, detailed telemetry streams, and short-lived credentials.

Architecture

Microservices

Application Lifecycle

  • (2022) itnext.io: Journey Of A Microservice Application In The Kubernetes World 🌟 [COMMUNITY-TOOL] — Traces the structural lifecycle of a containerized microservice traversing deployment pipelines, service routing, and load balancing configurations. Provides practical insights into configuring readiness/liveness probes, autoscaling parameters, and ingress rules. Essential reference for microservice platform standardization.

CKS Certification Study Guides

Cluster Lifecycle Security

CNI Network Vulnerabilities

Network Penetration Testing

CVE Analysis

Network Vulnerabilities

Case Studies

Historical Exploit Analysis

Cloud Native Networking

Network Policies

Calico and Tigera Security

Secure CNI Implementation

  • (2021) itnext.io: How-To: Kubernetes Cluster Network Security 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — A practical tutorial covering secure network policy design. Guides readers through limiting pod egress/ingress, utilizing global network policies, and implementing namespaces as security perimeters.

Cloud Native Security

The 4Cs of Cloud Native Security

  • (2020) kubernetes.io: Cloud native security for your clusters [N/A CONTENT] [COMMUNITY-TOOL] — An authoritative review of the '4C's of Cloud Native Security' (Cloud, Cluster, Container, Code). Explains how defense-in-depth principles apply across all layers of the cloud-native application stack.

Cluster Hardening

Infrastructural Protection

Network Policies (1)

  • (2019) ==Kubernetes Security Best Practices 🌟== 2712 [MARKDOWN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A curated GitHub repository delineating hardened configurations for Kubernetes API servers, Kubelets, and network boundaries. It details port-level access rules, ingress/egress filtering, and cluster isolation tactics to defend against pivot attacks.

Operational Security

  • (2020) codeburst.io: 7 Kubernetes Security Best Practices You Must Follow [N/A CONTENT] [COMMUNITY-TOOL] — Outlines fundamental security practices for Kubernetes workloads, focusing on enabling RBAC, using namespaces for boundary control, managing secrets securely, and upgrading Kubernetes control planes to address known CVEs.

Runtime Secrets Scanning

Cluster Lifecycle Security (1)

Operating System Paradigm

Cluster Misconfigurations

Common Mistakes

Defense in Depth

Cluster Hardening (1)

Identity and Access Management

SSO and OIDC Configuration

Industry Reports

  • (2021) redhat.com: The State of Kubernetes Security [N/A CONTENT] [COMMUNITY-TOOL] — Red Hat's analysis of container security threats, identifying key issues such as misconfigurations, unpatched vulnerabilities, and integration friction in cloud-native operational environments.

Kubernetes Platform Engine

Cluster Installation and Hardening

Infrastructure Provisioning

Container Runtimes

Runtime Isolation

Networking

CNI

Cilium

  • (2026) cilium.io 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The main website for Cilium, the industry-standard networking, security, and observability engine powered by eBPF. Eliminates routing performance penalties and delivers deep API metrics.

Observability and Monitoring

Runtime Security

Falco and K3s Audit Logging

  • (2021) Analyze Kubernetes Audit logs using Falco 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Demonstrates how to pipe Lightweight Kubernetes (K3s) API server audit logs directly into CNCF Falco. Perfect for resource-constrained edges and automated home lab deployments.

Security Industry Analysis

Sysdig and Falco Audit Integration

eBPF Runtime Enforcement

Tetragon Platform

  • (2022) ==Tetragon (Cilium)== 4749 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An eBPF-powered security observability and runtime enforcement platform. It monitors and blocks system events at the kernel level, providing granular process execution, network activity, and file system audit streams with zero container overhead.

Penetration Testing

Security Operations

Pod Privilege Escalation

Vulnerability Exploitation

Policy-as-Code

Kyverno Administration

  • (2020) kyverno.io 🌟 [GO CONTENT] [COMMUNITY-TOOL] — Kyverno is a declarative Kubernetes-native policy engine. Designed specifically for Kubernetes, it simplifies policy management by allowing administrators to validate, mutate, and generate resources without writing complex Rego code.

Kyverno Rules and Policies

  • (2020) kyverno.io/policies 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — The official catalog of Kyverno policies, providing ready-to-deploy manifests for Pod Security standards, multi-tenant workspace isolation, label validation, and compliance auto-generation.

RBAC and Authorization

Privilege Escalation

Risk Analysis and Auditing

Threat Vector Modeling

Secrets Management

HashiCorp Vault Integration

Security

Application Security

Client Security

  • (2022) curity.io: Client Security [COMMUNITY-TOOL] — Focuses on security patterns when structuring application clients that interface with identity ecosystems. Covers patterns like Token Handlers and Backend-for-Frontend (BFF) to safely abstract tokens away from client browsers or apps. Reduces target exposures to common cross-site scripting risks.

IAM

SSO

  • (2022) dev.to/gabrielbiasi: Automatic SSO in Kubernetes workloads using a sidecar container [COMMUNITY-TOOL] — Outlines an automated SSO sidecar integration pattern inside Kubernetes pods, abstracting authentication logic away from application-level containers. Details OAuth token management and redirect intercept strategies executed transparently at the pod level. Simplifies identity integration across multiple microservices.

Identity and Access

Authentication

Legacy Tools
  • (2020) github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts 🌟 [GO CONTENT] [LEGACY] — Curator Insight: Demonstrates internal service-to-service auth patterns utilizing raw Service Account tokens. Live Grounding: The repository has seen no recent development and is considered legacy. It is superseded by modern ephemeral TokenRequest APIs and service mesh mTLS integrations.

Microservice Identities

  • (2023) learnk8s.io: Authentication between microservices using Kubernetes identities 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — A specialized guide analyzing how service-to-service communication can be secured natively. It demonstrates using Kubernetes ServiceAccount tokens as cryptographic identities to authenticate microservices without external overhead. This pattern reduces dependencies on heavy service meshes for simpler deployments.

OIDC

OAuth2 Proxy

Workload Identity

Identity and Access Management (1)

Access Control

  • thenewstack.io: Cloud Native Identity and Access Management in Kubernetes [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Examines identity federation, user access management, and internal service-to-service authentication models. Curator insight details mapping cluster roles directly to organizational single sign-on identities. Live grounding indicates that decentralized identity and modern authentication are critical to maintaining least privilege in high-scale infrastructure.

Kubernetes Security (1)

Secrets Management (1)

  • (2021) Hands on your first Kubernetes secrets 🌟 [COMMUNITY-TOOL] [GUIDE] — This hands-on tutorial guides developers through creating, decoding, and mounting native Kubernetes Secret resources within applications. It highlights base64 encoding limitations and advises on key architectural alternatives, such as HashiCorp Vault integration, Sealed Secrets, or CSI secret store drivers for production environments.

Policy and Admission Control

Validating Webhooks

  • (2022) trstringer.com: Create a Basic Kubernetes Validating Webhook [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Step-by-step technical guide for writing a custom validating admission controller webhook. Focuses on processing API requests, writing validation criteria in Go, and configuring TLS certificate pathways between the API server and the webhook pod.

Secrets Management (2)

HashiCorp Vault

  • (2021) itnext.io: Vault cluster with auto unseal on Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — Detailed structural guide for configuring an enterprise-grade, highly available HashiCorp Vault cluster in Kubernetes. Features automated unsealing integrations using cloud KMS systems (AWS KMS/GCP KMS) to remove manual keys dependencies.

OWASP

  • (2022) itnext.io: Kubernetes OWASP Top 10: Secrets Management [COMMUNITY-TOOL] — Addresses Secrets Management under the OWASP Kubernetes threat framework. Details vulnerabilities of default etcd storage parameters and details using External Secrets Operator or HashiCorp Vault. Prevents secrets exposure via repository check-ins or pod environment parameters.

Security Training and Playgrounds

Kubernetes Goat Lab

  • (2020) Kubernetes Goat 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — An intentionally vulnerable cluster environment designed for hands-on cybersecurity training. Includes self-contained scenarios exploring SSRF, container escape, secrets leakage, and misconfigured RBAC roles.

Supply Chain Security

Signature Verification and Ratify

Threat Modeling

MITRE ATTandCK Adaptation

MITRE ATTandCK Framework

  • (2020) Microsoft.com: Attack matrix for Kubernetes 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Microsoft's systematic adaptation of the MITRE ATT&CK framework mapping out K8s attack vectors from initial access to execution, persistence, privilege escalation, and impact. Helps security operators assess risks in orchestration configurations.

Vulnerability Assessment Tools

Kubestriker Scanner

Workload Hardening

Identity and Access Management (2)

Pod Security Context

Pod Specifications


💡 Explore Related: Securityascode | Ansible | Devsecops

🔗 See Also: About | Postman