Kubernetes Pod Security: Best Practices for Production Deployments
Harden your Kubernetes deployments with comprehensive pod security policies, security contexts, and runtime protection strategies.
Kubernetes security is a shared responsibility. While cloud providers secure the control plane, you're responsible for securing your workloads. Here's how to implement defense-in-depth for your pods.
Pod Security Standards (PSS)
Kubernetes 1.25+ uses Pod Security Standards (replacing PodSecurityPolicies). Three levels: Privileged (unrestricted), Baseline (minimal restrictions), and Restricted (hardened).
Applying Pod Security Standards
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restrictedSecurity Context Configuration
apiVersion: v1
kind: Pod
metadata:
name: secure-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALLNetwork Policies for Zero-Trust
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-specific
spec:
podSelector:
matchLabels:
app: frontend
ingress:
- from:
- podSelector:
matchLabels:
app: backend
ports:
- protocol: TCP
port: 8080Resource Limits and Quotas
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"Always set resource limits to prevent DoS attacks and noisy neighbor issues.
Image Security
Use distroless or minimal base images, scan images for vulnerabilities with Trivy or Snyk, implement image signing with Cosign, and enforce image policies with admission controllers.
Secrets Management
Never store secrets in ConfigMaps or environment variables in plain text. Use external secrets operators (AWS Secrets Manager, HashiCorp Vault) or sealed-secrets for GitOps workflows.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: SecretStore
target:
name: app-secrets
data:
- secretKey: database-password
remoteRef:
key: prod/db-credentials
property: passwordRuntime Security
Implement runtime protection with Falco for anomaly detection, use OPA Gatekeeper for policy enforcement, and enable audit logging for compliance.
NyxaLabs Kubernetes Security Services
We help organizations secure their Kubernetes infrastructure from cluster hardening to runtime protection. Our DevSecOps team implements security best practices without slowing down development. Contact us for a security assessment.