1---
2name: k8s-security-policies
3description: Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
4---
5 
6# Kubernetes Security Policies
7 
8Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.
9 
10## Purpose
11 
12Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.
13 
14## When to Use This Skill
15 
16- Implement network segmentation
17- Configure pod security standards
18- Set up RBAC for least-privilege access
19- Create security policies for compliance
20- Implement admission control
21- Secure multi-tenant clusters
22 
23## Pod Security Standards
24 
25### 1. Privileged (Unrestricted)
26 
27```yaml
28apiVersion: v1
29kind: Namespace
30metadata:
31  name: privileged-ns
32  labels:
33    pod-security.kubernetes.io/enforce: privileged
34    pod-security.kubernetes.io/audit: privileged
35    pod-security.kubernetes.io/warn: privileged
36```
37 
38### 2. Baseline (Minimally restrictive)
39 
40```yaml
41apiVersion: v1
42kind: Namespace
43metadata:
44  name: baseline-ns
45  labels:
46    pod-security.kubernetes.io/enforce: baseline
47    pod-security.kubernetes.io/audit: baseline
48    pod-security.kubernetes.io/warn: baseline
49```
50 
51### 3. Restricted (Most restrictive)
52 
53```yaml
54apiVersion: v1
55kind: Namespace
56metadata:
57  name: restricted-ns
58  labels:
59    pod-security.kubernetes.io/enforce: restricted
60    pod-security.kubernetes.io/audit: restricted
61    pod-security.kubernetes.io/warn: restricted
62```
63 
64## Network Policies
65 
66### Default Deny All
67 
68```yaml
69apiVersion: networking.k8s.io/v1
70kind: NetworkPolicy
71metadata:
72  name: default-deny-all
73  namespace: production
74spec:
75  podSelector: {}
76  policyTypes:
77    - Ingress
78    - Egress
79```
80 
81### Allow Frontend to Backend
82 
83```yaml
84apiVersion: networking.k8s.io/v1
85kind: NetworkPolicy
86metadata:
87  name: allow-frontend-to-backend
88  namespace: production
89spec:
90  podSelector:
91    matchLabels:
92      app: backend
93  policyTypes:
94    - Ingress
95  ingress:
96    - from:
97        - podSelector:
98            matchLabels:
99              app: frontend
100      ports:
101        - protocol: TCP
102          port: 8080
103```
104 
105### Allow DNS
106 
107```yaml
108apiVersion: networking.k8s.io/v1
109kind: NetworkPolicy
110metadata:
111  name: allow-dns
112  namespace: production
113spec:
114  podSelector: {}
115  policyTypes:
116    - Egress
117  egress:
118    - to:
119        - namespaceSelector:
120            matchLabels:
121              name: kube-system
122      ports:
123        - protocol: UDP
124          port: 53
125```
126 
127**Reference:** See `assets/network-policy-template.yaml`
128 
129## RBAC Configuration
130 
131### Role (Namespace-scoped)
132 
133```yaml
134apiVersion: rbac.authorization.k8s.io/v1
135kind: Role
136metadata:
137  name: pod-reader
138  namespace: production
139rules:
140  - apiGroups: [""]
141    resources: ["pods"]
142    verbs: ["get", "watch", "list"]
143```
144 
145### ClusterRole (Cluster-wide)
146 
147```yaml
148apiVersion: rbac.authorization.k8s.io/v1
149kind: ClusterRole
150metadata:
151  name: secret-reader
152rules:
153  - apiGroups: [""]
154    resources: ["secrets"]
155    verbs: ["get", "watch", "list"]
156```
157 
158### RoleBinding
159 
160```yaml
161apiVersion: rbac.authorization.k8s.io/v1
162kind: RoleBinding
163metadata:
164  name: read-pods
165  namespace: production
166subjects:
167  - kind: User
168    name: jane
169    apiGroup: rbac.authorization.k8s.io
170  - kind: ServiceAccount
171    name: default
172    namespace: production
173roleRef:
174  kind: Role
175  name: pod-reader
176  apiGroup: rbac.authorization.k8s.io
177```
178 
179**Reference:** See `references/rbac-patterns.md`
180 
181## Pod Security Context
182 
183### Restricted Pod
184 
185```yaml
186apiVersion: v1
187kind: Pod
188metadata:
189  name: secure-pod
190spec:
191  securityContext:
192    runAsNonRoot: true
193    runAsUser: 1000
194    fsGroup: 1000
195    seccompProfile:
196      type: RuntimeDefault
197  containers:
198    - name: app
199      image: myapp:1.0
200      securityContext:
201        allowPrivilegeEscalation: false
202        readOnlyRootFilesystem: true
203        capabilities:
204          drop:
205            - ALL
206```
207 
208## Policy Enforcement with OPA Gatekeeper
209 
210### ConstraintTemplate
211 
212```yaml
213apiVersion: templates.gatekeeper.sh/v1
214kind: ConstraintTemplate
215metadata:
216  name: k8srequiredlabels
217spec:
218  crd:
219    spec:
220      names:
221        kind: K8sRequiredLabels
222      validation:
223        openAPIV3Schema:
224          type: object
225          properties:
226            labels:
227              type: array
228              items:
229                type: string
230  targets:
231    - target: admission.k8s.gatekeeper.sh
232      rego: |
233        package k8srequiredlabels
234        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
235          provided := {label | input.review.object.metadata.labels[label]}
236          required := {label | label := input.parameters.labels[_]}
237          missing := required - provided
238          count(missing) > 0
239          msg := sprintf("missing required labels: %v", [missing])
240        }
241```
242 
243### Constraint
244 
245```yaml
246apiVersion: constraints.gatekeeper.sh/v1beta1
247kind: K8sRequiredLabels
248metadata:
249  name: require-app-label
250spec:
251  match:
252    kinds:
253      - apiGroups: ["apps"]
254        kinds: ["Deployment"]
255  parameters:
256    labels: ["app", "environment"]
257```
258 
259## Service Mesh Security (Istio)
260 
261### PeerAuthentication (mTLS)
262 
263```yaml
264apiVersion: security.istio.io/v1beta1
265kind: PeerAuthentication
266metadata:
267  name: default
268  namespace: production
269spec:
270  mtls:
271    mode: STRICT
272```
273 
274### AuthorizationPolicy
275 
276```yaml
277apiVersion: security.istio.io/v1beta1
278kind: AuthorizationPolicy
279metadata:
280  name: allow-frontend
281  namespace: production
282spec:
283  selector:
284    matchLabels:
285      app: backend
286  action: ALLOW
287  rules:
288    - from:
289        - source:
290            principals: ["cluster.local/ns/production/sa/frontend"]
291```
292 
293## Best Practices
294 
2951. **Implement Pod Security Standards** at namespace level
2962. **Use Network Policies** for network segmentation
2973. **Apply least-privilege RBAC** for all service accounts
2984. **Enable admission control** (OPA Gatekeeper/Kyverno)
2995. **Run containers as non-root**
3006. **Use read-only root filesystem**
3017. **Drop all capabilities** unless needed
3028. **Implement resource quotas** and limit ranges
3039. **Enable audit logging** for security events
30410. **Regular security scanning** of images
305 
306## Compliance Frameworks
307 
308### CIS Kubernetes Benchmark
309 
310- Use RBAC authorization
311- Enable audit logging
312- Use Pod Security Standards
313- Configure network policies
314- Implement secrets encryption at rest
315- Enable node authentication
316 
317### NIST Cybersecurity Framework
318 
319- Implement defense in depth
320- Use network segmentation
321- Configure security monitoring
322- Implement access controls
323- Enable logging and monitoring
324 
325## Troubleshooting
326 
327**NetworkPolicy not working:**
328 
329```bash
330# Check if CNI supports NetworkPolicy
331kubectl get nodes -o wide
332kubectl describe networkpolicy <name>
333```
334 
335**RBAC permission denied:**
336 
337```bash
338# Check effective permissions
339kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
340kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa
341```
342 
343 
344## Related Skills
345 
346- `k8s-manifest-generator` - For creating secure manifests
347- `gitops-workflow` - For automated policy deployment
348