Kubernetes Security in Practice: The RBAC and Policy Fundamentals

Kubernetes security is a deep topic. The fundamentals that every production cluster must get right: RBAC, admission control, and network policies.

RBAC as the access model

Kubernetes RBAC (Role-Based Access Control) controls who can do what in the cluster. Roles and ClusterRoles define permissions (verbs on resource types). RoleBindings and ClusterRoleBindings assign roles to subjects (users, groups, service accounts). The least-privilege principle: service accounts for application workloads should have only the permissions their pods actually need, not cluster-admin, not the default service account which may have broad access.

Admission controllers and policies

Admission controllers intercept requests to the Kubernetes API server and can validate or mutate them before they are persisted. The critical production admission controllers: Pod Security Admission (replacing PSP, enforcing security standards on pod specs), OPA Gatekeeper or Kyverno (policy enforcement, require resource limits, disallow privileged containers, enforce image registry allowlists), and image signature verification (Sigstore/Cosign).

Secrets management beyond Kubernetes Secrets

Kubernetes Secrets are base64-encoded, not encrypted, in etcd by default. The improvement: enable etcd encryption at rest (Kubernetes supports multiple KMS providers for envelope encryption). Better: move secrets out of Kubernetes Secrets entirely and use Vault Agent Injector or the External Secrets Operator to sync secrets from Vault or cloud KMS into pods. The External Secrets Operator (external-secrets.io) has become the standard pattern for this integration.

Runtime security

Runtime security monitors container behaviour for anomalous activity: unexpected system calls, unexpected network connections, unexpected file writes. Falco (CNCF-graduated) uses eBPF to monitor system calls and emit alerts for defined rule violations. The Falco default ruleset covers the most common attack patterns: spawning a shell in a container, writing to sensitive filesystem paths, making unexpected network connections. Production Falco requires tuning the default rules to reduce noise from legitimate application behaviour.