Skills › DevOps & Infrastructure › Containers & orchestration
k8s-security-policies
Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.
The full skill
—
name: k8s-security-policies
description: "Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes."
risk: unknown
source: community
date_added: "2026-02-27"
tier: free
verified: true
merged_from: [538, 539]
authored_by: ebizapple (verifisert + attribuert)
date_curated: 2026-07-03
—
# Kubernetes Security Policies
*Verifisert ebizapple-skill (gratis nivå). Bygget fra den fyldigste av to likelydende, permissivt lisensierte kilder; søsterkopien er verifisert mot Drive-kilden og la ikke til unikt materiale utover basen. Lisens og attribusjon i "Kilder & proveniens".*
Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.
## Do not use this skill when
– The task is unrelated to kubernetes security policies
– You need a different domain or tool outside this scope
## Instructions
– Clarify goals, constraints, and required inputs.
– Apply relevant best practices and validate outcomes.
– Provide actionable steps and verification.
– If detailed examples are required, open `resources/implementation-playbook.md`.
## Purpose
Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.
## Use this skill when
– Implement network segmentation
– Configure pod security standards
– Set up RBAC for least-privilege access
– Create security policies for compliance
– Implement admission control
– Secure multi-tenant clusters
## Pod Security Standards
### 1. Privileged (Unrestricted)
“`yaml
apiVersion: v1
kind: Namespace
metadata:
name: privileged-ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
“`
### 2. Baseline (Minimally restrictive)
“`yaml
apiVersion: v1
kind: Namespace
metadata:
name: baseline-ns
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/warn: baseline
“`
### 3. Restricted (Most restrictive)
“`yaml
apiVersion: v1
kind: Namespace
metadata:
name: restricted-ns
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
“`
## Network Policies
### Default Deny All
“`yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
– Ingress
– Egress
“`
### Allow Frontend to Backend
“`yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
– Ingress
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 8080
“`
### Allow DNS
“`yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
– Egress
egress:
– to:
– namespaceSelector:
matchLabels:
name: kube-system
ports:
– protocol: UDP
port: 53
“`
**Reference:** See `assets/network-policy-template.yaml`
## RBAC Configuration
### Role (Namespace-scoped)
“`yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: production
rules:
– apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
“`
### ClusterRole (Cluster-wide)
“`yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
– apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
“`
### RoleBinding
“`yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
– kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
– kind: ServiceAccount
name: default
namespace: production
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
“`
**Reference:** See `references/rbac-patterns.md`
## Pod Security Context
### Restricted Pod
“`yaml
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
– name: app
image: myapp:1.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
– ALL
“`
## Policy Enforcement with OPA Gatekeeper
### ConstraintTemplate
“`yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
– target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required – provided
count(missing) > 0
msg := sprintf("missing required labels: %v", [missing])
}
“`
### Constraint
“`yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-label
spec:
match:
kinds:
– apiGroups: ["apps"]
kinds: ["Deployment"]
parameters:
labels: ["app", "environment"]
“`
## Service Mesh Security (Istio)
### PeerAuthentication (mTLS)
“`yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
“`
### AuthorizationPolicy
“`yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-frontend
namespace: production
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
– from:
– source:
principals: ["cluster.local/ns/production/sa/frontend"]
“`
## Best Practices
1. **Implement Pod Security Standards** at namespace level
2. **Use Network Policies** for network segmentation
3. **Apply least-privilege RBAC** for all service accounts
4. **Enable admission control** (OPA Gatekeeper/Kyverno)
5. **Run containers as non-root**
6. **Use read-only root filesystem**
7. **Drop all capabilities** unless needed
8. **Implement resource quotas** and limit ranges
9. **Enable audit logging** for security events
10. **Regular security scanning** of images
## Compliance Frameworks
### CIS Kubernetes Benchmark
– Use RBAC authorization
– Enable audit logging
– Use Pod Security Standards
– Configure network policies
– Implement secrets encryption at rest
– Enable node authentication
### NIST Cybersecurity Framework
– Implement defense in depth
– Use network segmentation
– Configure security monitoring
– Implement access controls
– Enable logging and monitoring
## Troubleshooting
**NetworkPolicy not working:**
“`bash
# Check if CNI supports NetworkPolicy
kubectl get nodes -o wide
kubectl describe networkpolicy <name>
“`
**RBAC permission denied:**
“`bash
# Check effective permissions
kubectl auth can-i list pods –as system:serviceaccount:default:my-sa
kubectl auth can-i '*' '*' –as system:serviceaccount:default:my-sa
“`
## Reference Files
– `assets/network-policy-template.yaml` – Network policy examples
– `assets/pod-security-template.yaml` – Pod security policies
– `references/rbac-patterns.md` – RBAC configuration patterns
## Related Skills
– `k8s-manifest-generator` – For creating secure manifests
– `gitops-workflow` – For automated policy deployment
## Limitations
– Use this skill only when the task clearly matches the scope described above.
– Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
– Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
## Kilder & proveniens
– Source id 538 (BASE): the fuller of two same-name copies; its complete substantive body is preserved. Kun tillits-metadata, en banner og denne proveniensen ble lagt til; nivå er gratis (verifisert, ikke premium).
– Source id 539 (SECONDARY): a same-name copy of the same skill, reviewed for additive material; none beyond the base was found, so nothing was ported. Role: corroboration of completeness.
– License retained: community. Upstream author/source attribution preserved as required.