Skip to content

6.01 Kubernetes Security Primitives

Kubernetes security is layered.
To secure a production cluster, you must protect:

  1. The Hosts
  2. The API Server
  3. Authentication (Who?)
  4. Authorization (What?)
  5. Component Communication (TLS)
  6. Pod-to-Pod Communication (Network Policies)

1️⃣ Secure the Hosts (Foundation Layer)

If the host is compromised, the entire cluster is compromised.

Production Host Hardening

  • Disable root login
  • Disable password-based SSH
  • Enable SSH key-based authentication only
  • Restrict sudo access
  • Apply OS security patches regularly
  • Enable firewall rules
  • Restrict control plane node access

Danger

Never expose control plane nodes directly to the public internet.

Success

Use private networking and a bastion host for production clusters.

2️⃣ Secure the Kubernetes API Server

The kube-apiserver is the control center of Kubernetes.

All operations go through it:

  • kubectl
  • Controllers
  • kubelets
  • Direct API access

If the API server is compromised, the cluster is compromised.

Security decisions are based on two questions:

  • Who can access? β†’ Authentication
  • What can they do? β†’ Authorization

3️⃣ Authentication (Who Can Access?)

Authentication verifies identity.

Supported Authentication Methods

  • X.509 Client Certificates (Recommended)
  • Service Accounts
  • OIDC / LDAP (External Identity Providers)
  • Static Token File (Not recommended for production)

Abstract

Authentication answers: "Who are you?"

Production Best Practices

Success

  • Use certificates or OIDC for users
  • Disable anonymous access
  • Avoid static tokens
  • Rotate credentials regularly
  • Use short-lived service account tokens

Warning

Never share kubeconfig files insecurely.

4️⃣ Authorization (What Can They Do?)

Authorization defines permissions after authentication.

Authorization Modes

  • RBAC (Recommended)
  • ABAC (Legacy)
  • Node Authorizer
  • Webhook Authorizer

Abstract

Authorization answers: "What are you allowed to do?"

RBAC (Production Standard)

RBAC uses:

  • Roles
  • ClusterRoles
  • RoleBindings
  • ClusterRoleBindings

Apply Least Privilege Principle.

Success

Grant only the minimum permissions required.

Production Best Practices

Tip

  • Avoid using cluster-admin role
  • Create separate service accounts per application
  • Regularly audit RBAC permissions
  • Restrict namespace access

Danger

Assigning cluster-admin to applications is a major security risk.

5️⃣ TLS Encryption (Component-to-Component Security)

All internal communication in Kubernetes is secured using TLS:

  • kube-apiserver ↔ etcd
  • kube-apiserver ↔ kubelet
  • kube-controller-manager ↔ API server
  • kube-scheduler ↔ API server
  • kube-proxy ↔ API server

Note

TLS ensures encryption and identity verification between components.

Production Best Practices

Success

  • Protect CA private keys
  • Rotate certificates periodically
  • Secure etcd with TLS
  • Never expose etcd without encryption

6️⃣ Network Policies (Pod-to-Pod Security)

By default:

All pods can communicate with all other pods.

This is unsafe in production.

Network Policies allow:

  • Ingress control (who can reach a pod)
  • Egress control (where a pod can send traffic)
  • Namespace isolation
  • Zero-trust networking

Production Best Practices

Success

  • Start with default deny policy
  • Explicitly allow required traffic
  • Separate workloads by namespace
  • Use a CNI that supports Network Policies

Danger

Without network policies, lateral movement inside the cluster is easy.

7️⃣ Service Account Security

Service accounts allow pods to talk to the API server.

Secure Usage

  • Disable automountServiceAccountToken when not required
  • Use dedicated service accounts per workload
  • Apply minimal RBAC permissions
  • Use bound service account tokens

Warning

Default service account tokens should not be used blindly.

8️⃣ Kubernetes Security Layers Overview

Layer Purpose
Host OS Node protection
API Server Cluster control protection
Authentication Identity verification
Authorization Permission control
TLS Encrypted communication
Network Policies Pod isolation
Service Accounts Workload identity

9️⃣ Production DO & DON'T

βœ… DO

Tip

  • Harden nodes
  • Enable RBAC
  • Enforce TLS everywhere
  • Use network policies
  • Rotate credentials
  • Enable audit logging
  • Encrypt secrets at rest

❌ DON'T

Danger

  • Don’t use cluster-admin unnecessarily
  • Don’t allow password-based SSH
  • Don’t expose API server publicly without protection
  • Don’t skip certificate management
  • Don’t run containers as root when avoidable

πŸ”Ÿ Production Security Checklist

Abstract

  1. Harden hosts
  2. Secure API server
  3. Enable RBAC
  4. Enforce TLS
  5. Configure Network Policies
  6. Secure Service Accounts
  7. Enable audit logging
  8. Encrypt secrets at rest

🎯 Interview Memory

Question

  • Authentication = Who?
  • Authorization = What?
  • RBAC is recommended
  • TLS secures components
  • Network Policies isolate pods
  • Host security is foundational

Quote

Kubernetes security is layered. Secure every layer β€” host, API, identity, network, and data.