Back to Blog
devops

Kubernetes Pod Security: Best Practices for Production Deployments

Harden your Kubernetes deployments with comprehensive pod security policies, security contexts, and runtime protection strategies.

NyxaLabs Team
Kubernetes Pod Security: Best Practices for Production Deployments

Kubernetes security is a shared responsibility. While cloud providers secure the control plane, you're responsible for securing your workloads. Here's how to implement defense-in-depth for your pods.

Pod Security Standards (PSS)

Kubernetes 1.25+ uses Pod Security Standards (replacing PodSecurityPolicies). Three levels: Privileged (unrestricted), Baseline (minimal restrictions), and Restricted (hardened).

Applying Pod Security Standards

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Security Context Configuration

apiVersion: v1
kind: Pod
metadata:
  name: secure-app
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: myapp:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL

Network Policies for Zero-Trust

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-specific
spec:
  podSelector:
    matchLabels:
      app: frontend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: backend
    ports:
    - protocol: TCP
      port: 8080

Resource Limits and Quotas

resources:
  requests:
    memory: "128Mi"
    cpu: "100m"
  limits:
    memory: "256Mi"
    cpu: "200m"

Always set resource limits to prevent DoS attacks and noisy neighbor issues.

Image Security

Use distroless or minimal base images, scan images for vulnerabilities with Trivy or Snyk, implement image signing with Cosign, and enforce image policies with admission controllers.

Secrets Management

Never store secrets in ConfigMaps or environment variables in plain text. Use external secrets operators (AWS Secrets Manager, HashiCorp Vault) or sealed-secrets for GitOps workflows.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: app-secrets
  data:
  - secretKey: database-password
    remoteRef:
      key: prod/db-credentials
      property: password

Runtime Security

Implement runtime protection with Falco for anomaly detection, use OPA Gatekeeper for policy enforcement, and enable audit logging for compliance.

NyxaLabs Kubernetes Security Services

We help organizations secure their Kubernetes infrastructure from cluster hardening to runtime protection. Our DevSecOps team implements security best practices without slowing down development. Contact us for a security assessment.

Tags

#Kubernetes #Security #DevSecOps #Pod Security #Container Security

Want to Work With Us?

We're ready to help bring your ideas to life with cutting-edge technology.

Get In Touch