Skill

SkillsDevOps & Infrastructure › Containers & orchestration

k8s-security-policies

Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.

Freerisk: medium
folded-into-540

The full skill

— name: k8s-security-policies description: "Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes." risk: unknown source: community date_added: "2026-02-27" tier: free verified: true merged_from: [538, 539] authored_by: ebizapple (verifisert + attribuert) date_curated: 2026-07-03 — # Kubernetes Security Policies *Verifisert ebizapple-skill (gratis nivå). Bygget fra den fyldigste av to likelydende, permissivt lisensierte kilder; søsterkopien er verifisert mot Drive-kilden og la ikke til unikt materiale utover basen. Lisens og attribusjon i "Kilder & proveniens".* Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes. ## Do not use this skill when – The task is unrelated to kubernetes security policies – You need a different domain or tool outside this scope ## Instructions – Clarify goals, constraints, and required inputs. – Apply relevant best practices and validate outcomes. – Provide actionable steps and verification. – If detailed examples are required, open `resources/implementation-playbook.md`. ## Purpose Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC. ## Use this skill when – Implement network segmentation – Configure pod security standards – Set up RBAC for least-privilege access – Create security policies for compliance – Implement admission control – Secure multi-tenant clusters ## Pod Security Standards ### 1. Privileged (Unrestricted) “`yaml apiVersion: v1 kind: Namespace metadata: name: privileged-ns labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/warn: privileged “` ### 2. Baseline (Minimally restrictive) “`yaml apiVersion: v1 kind: Namespace metadata: name: baseline-ns labels: pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/audit: baseline pod-security.kubernetes.io/warn: baseline “` ### 3. Restricted (Most restrictive) “`yaml apiVersion: v1 kind: Namespace metadata: name: restricted-ns labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted “` ## Network Policies ### Default Deny All “`yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: production spec: podSelector: {} policyTypes: – Ingress – Egress “` ### Allow Frontend to Backend “`yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend namespace: production spec: podSelector: matchLabels: app: backend policyTypes: – Ingress ingress: – from: – podSelector: matchLabels: app: frontend ports: – protocol: TCP port: 8080 “` ### Allow DNS “`yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns namespace: production spec: podSelector: {} policyTypes: – Egress egress: – to: – namespaceSelector: matchLabels: name: kube-system ports: – protocol: UDP port: 53 “` **Reference:** See `assets/network-policy-template.yaml` ## RBAC Configuration ### Role (Namespace-scoped) “`yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: production rules: – apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"] “` ### ClusterRole (Cluster-wide) “`yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: secret-reader rules: – apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] “` ### RoleBinding “`yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods namespace: production subjects: – kind: User name: jane apiGroup: rbac.authorization.k8s.io – kind: ServiceAccount name: default namespace: production roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io “` **Reference:** See `references/rbac-patterns.md` ## Pod Security Context ### Restricted Pod “`yaml apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: – name: app image: myapp:1.0 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: – ALL “` ## Policy Enforcement with OPA Gatekeeper ### ConstraintTemplate “`yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: openAPIV3Schema: type: object properties: labels: type: array items: type: string targets: – target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required – provided count(missing) > 0 msg := sprintf("missing required labels: %v", [missing]) } “` ### Constraint “`yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: require-app-label spec: match: kinds: – apiGroups: ["apps"] kinds: ["Deployment"] parameters: labels: ["app", "environment"] “` ## Service Mesh Security (Istio) ### PeerAuthentication (mTLS) “`yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: production spec: mtls: mode: STRICT “` ### AuthorizationPolicy “`yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-frontend namespace: production spec: selector: matchLabels: app: backend action: ALLOW rules: – from: – source: principals: ["cluster.local/ns/production/sa/frontend"] “` ## Best Practices 1. **Implement Pod Security Standards** at namespace level 2. **Use Network Policies** for network segmentation 3. **Apply least-privilege RBAC** for all service accounts 4. **Enable admission control** (OPA Gatekeeper/Kyverno) 5. **Run containers as non-root** 6. **Use read-only root filesystem** 7. **Drop all capabilities** unless needed 8. **Implement resource quotas** and limit ranges 9. **Enable audit logging** for security events 10. **Regular security scanning** of images ## Compliance Frameworks ### CIS Kubernetes Benchmark – Use RBAC authorization – Enable audit logging – Use Pod Security Standards – Configure network policies – Implement secrets encryption at rest – Enable node authentication ### NIST Cybersecurity Framework – Implement defense in depth – Use network segmentation – Configure security monitoring – Implement access controls – Enable logging and monitoring ## Troubleshooting **NetworkPolicy not working:** “`bash # Check if CNI supports NetworkPolicy kubectl get nodes -o wide kubectl describe networkpolicy <name> “` **RBAC permission denied:** “`bash # Check effective permissions kubectl auth can-i list pods –as system:serviceaccount:default:my-sa kubectl auth can-i '*' '*' –as system:serviceaccount:default:my-sa “` ## Reference Files – `assets/network-policy-template.yaml` – Network policy examples – `assets/pod-security-template.yaml` – Pod security policies – `references/rbac-patterns.md` – RBAC configuration patterns ## Related Skills – `k8s-manifest-generator` – For creating secure manifests – `gitops-workflow` – For automated policy deployment ## Limitations – Use this skill only when the task clearly matches the scope described above. – Do not treat the output as a substitute for environment-specific validation, testing, or expert review. – Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing. ## Kilder & proveniens – Source id 538 (BASE): the fuller of two same-name copies; its complete substantive body is preserved. Kun tillits-metadata, en banner og denne proveniensen ble lagt til; nivå er gratis (verifisert, ikke premium). – Source id 539 (SECONDARY): a same-name copy of the same skill, reviewed for additive material; none beyond the base was found, so nothing was ported. Role: corroboration of completeness. – License retained: community. Upstream author/source attribution preserved as required.