Security Best Practices

Kubernetes Security Best Practices 🔐

The Castle Guard Story

Imagine your Kubernetes cluster is a magical castle with treasures inside. You’re the chief guard. Your job? Keep the bad guys OUT while letting the good people do their work safely.

Today we learn three super-important guard rules:

1. Security Best Practices - The master rulebook
2. Least Privilege Principle - Give only what’s needed
3. Image Security Scanning - Check before you let them in

1. Security Best Practices 🏰

What Are They?

Security best practices are like the rulebook for guards. They tell you:

• What to check
• What to lock
• What to watch

The 5 Golden Rules

Think of these as the five guard duties:

Real Kubernetes Example

# Good: Secure Pod Configuration
apiVersion: v1
kind: Pod
metadata:
  name: secure-app
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
  containers:
  - name: app
    image: myapp:v1.2.3
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

What this does:

• runAsNonRoot: true → Don’t run as king (root)
• readOnlyRootFilesystem: true → Can’t write on castle walls
• allowPrivilegeEscalation: false → Can’t promote yourself to king

Quick Security Checklist

✅ Enable RBAC (Role-Based Access Control) ✅ Use Network Policies ✅ Enable Audit Logging ✅ Encrypt Secrets ✅ Keep Kubernetes Updated

2. Least Privilege Principle 🔑

The Story

Imagine you hire a gardener for your castle.

Bad approach: Give them keys to EVERY room

• Kitchen? ✅
• Treasury? ✅
• Bedrooms? ✅
• Dungeon? ✅

Good approach: Give them keys to ONLY what they need

• Garden shed? ✅
• Garden gate? ✅
• Everything else? ❌

This is Least Privilege. Give the minimum access needed to do the job.

Why It Matters

graph TD
    A["Gardener gets ALL keys"] --> B["Gardener account hacked"]
    B --> C["Hacker accesses EVERYTHING"]
    C --> D["💀 Castle destroyed"]

    E["Gardener gets ONLY garden keys"] --> F["Gardener account hacked"]
    F --> G["Hacker accesses garden only"]
    G --> H["✅ Castle safe!"]

Kubernetes Example: RBAC

Bad - Too Much Power:

# DON'T DO THIS
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-binding
subjects:
- kind: ServiceAccount
  name: my-app
  namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin  # ALL THE KEYS!
  apiGroup: rbac.authorization.k8s.io

Good - Just Enough:

# DO THIS INSTEAD
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: my-namespace
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]  # Only read pods
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: my-namespace
subjects:
- kind: ServiceAccount
  name: my-app
  namespace: my-namespace
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

The Three Questions

Before giving access, always ask:

1. What do they need to access? → Only those resources
2. Where do they need it? → Only those namespaces
3. How do they need to use it? → Only those actions (get, list, create, etc.)

Real Life Examples

3. Image Security Scanning 🔍

The Story

Before letting someone into your castle, you check their bags.

Why? They might carry:

• 🗡️ Hidden weapons (malware)
• 🐛 Bugs (vulnerabilities)
• 📜 Fake documents (outdated packages)

Image scanning = Checking bags before entry!

What Gets Scanned?

graph TD
    A["Container Image"] --> B["Scanner"]
    B --> C{Check for}
    C --> D["Known Vulnerabilities"]
    C --> E["Malware"]
    C --> F["Misconfigurations"]
    C --> G["Secrets/Passwords"]
    D --> H["Safe to deploy?"]
    E --> H
    F --> H
    G --> H

How It Works

Step 1: You build an image

FROM node:18
COPY . /app
RUN npm install
CMD ["node", "app.js"]

Step 2: Scanner checks it

# Using Trivy (popular scanner)
trivy image myapp:latest

Step 3: See the report

myapp:latest (debian 11.6)
==========================
Total: 42 (CRITICAL: 2, HIGH: 8, MEDIUM: 20, LOW: 12)

┌──────────────┬───────────┬──────────┐
│ Library      │ Severity  │ Status   │
├──────────────┼───────────┼──────────┤
│ openssl      │ CRITICAL  │ Fix: 3.0 │
│ curl         │ HIGH      │ Fix: 8.1 │
└──────────────┴───────────┴──────────┘

Popular Scanning Tools

Kubernetes Integration

Block bad images automatically:

# Admission Controller Policy
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: image-scanner
webhooks:
- name: scan.images.k8s.io
  rules:
  - apiGroups: [""]
    resources: ["pods"]
    operations: ["CREATE"]
  # Blocks pods with vulnerable images

Best Practices for Image Scanning

✅ Scan in CI/CD - Check before images reach production ✅ Use trusted base images - Start with official images ✅ Scan regularly - New vulnerabilities appear daily ✅ Set severity thresholds - Block CRITICAL, warn on HIGH ✅ Keep images updated - Old images = more vulnerabilities

Simple Workflow

graph LR
    A["Developer pushes code"] --> B["CI builds image"]
    B --> C["Scanner checks image"]
    C --> D{Vulnerabilities?}
    D -->|CRITICAL found| E["❌ Block deploy"]
    D -->|Clean or LOW| F["✅ Deploy to K8s"]

Bringing It All Together 🎯

These three practices work together like a security team:

Your Security Checklist

Daily Habits:

• [ ] Run image scans on new deployments
• [ ] Review access permissions monthly
• [ ] Check for Kubernetes security updates

One-Time Setup:

• [ ] Enable RBAC
• [ ] Configure Network Policies
• [ ] Set up admission controllers
• [ ] Integrate scanner in CI/CD

Remember! 🧠

Security is not a feature. It’s a habit.

Start with these three practices:

1. Follow the rulebook (Security Best Practices)
2. Give only what’s needed (Least Privilege)
3. Check before trusting (Image Scanning)

Your Kubernetes castle will be safe! 🏰✨