Module Review: Security

[!TIP] Security is not an add-on. It must be built into every layer of your cluster, from the Node (PSA) to the Network (mTLS) to the API (RBAC).

1. Key Takeaways

1. RBAC enforces Least Privilege. Always use RoleBinding for namespaced access. Only use ClusterRoleBinding when absolutely necessary.
2. ServiceAccounts are identities for Pods. Use Workload Identity (OIDC) to access cloud resources securely without long-lived secrets.
3. Pod Security Admission (PSA) replaces PSP. Enforce the restricted standard on all application namespaces.
4. mTLS creates a Zero Trust network. Use a Service Mesh to encrypt traffic between microservices automatically.
5. Hardening Containers is mandatory. Always set runAsNonRoot: true, readOnlyRootFilesystem: true, and drop ALL capabilities.

---

2. Interactive Flashcards

Test your knowledge. Click to flip.

Role vs ClusterRole?

Role is namespaced (e.g., read pods in `dev`). ClusterRole is cluster-wide (e.g., read nodes) or used as a template for RoleBindings.

What is PSA?

Pod Security Admission. A built-in admission controller that enforces 3 standards: Privileged, Baseline, and Restricted via namespace labels.

Why use mTLS?

To ensure Zero Trust. It authenticates both client and server cryptographically and encrypts all traffic in transit, preventing sniffing.

runAsNonRoot vs runAsUser

runAsUser: 1000 forces a specific ID. runAsNonRoot: true ensures the image does not default to UID 0 (root), preventing startup if it does.

---

3. Security Cheat Sheet

RBAC Troubleshooting

# Check if YOU can do something
kubectl auth can-i create deployments

# Check if a ServiceAccount can do something
kubectl auth can-i list secrets --as=system:serviceaccount:default:my-sa

# List all permissions for a user (via plugin 'access-matrix')
kubectl access-matrix --sa default:my-sa

Pod Security Admission (PSA)

# Enforce Restricted standard on 'prod' namespace
kubectl label namespace prod \
  pod-security.kubernetes.io/enforce=restricted \
  pod-security.kubernetes.io/warn=restricted

Security Context Best Practice

securityContext:
  runAsNonRoot: true
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
  drop: ["ALL"]

Kubernetes Glossary