DevSecOps - Kubernetes DevOps & Security
DevSecOps Pipeline
Kubernetes Security Concepts
In this guide, we’ll cover critical Kubernetes security concepts, highlight common vulnerabilities in deployments and container images, and show you how to enforce policies using industry-standard tools like OPA Conftest, Kubesec, and Trivy. By the end, you’ll have actionable steps to harden your clusters and CI/CD pipelines.
Table of Contents
- Common Kubernetes Vulnerabilities
- Scanning and Policy Enforcement
- Defining and Applying securityContext
- Additional Kubernetes Security Features
- Demo: Validating Deployments with OPA Conftest
- Links & References
Common Kubernetes Vulnerabilities
Attackers often exploit misconfigurations or unpatched components. Typical risks include:
- Privileged Containers
- Images with Known CVEs
- Excessive RBAC Permissions
- Unrestricted Network Access
- Improper Secret Management
Addressing these early in your development lifecycle prevents costly incidents later on.
Scanning and Policy Enforcement
Leverage automated scanners and policy-as-code to detect risks before deployment. Below is a comparison:
Tool | Use Case | Example Command |
---|---|---|
Trivy | Image & filesystem CVE scanning | trivy image my-app:latest |
Kubesec | Static manifest analysis | kubesec scan deployment.yaml |
OPA Conftest | Custom policy checks against YAML | conftest test deployment.yaml --policy policies/ |
Note
Integrate these tools into your CI pipelines for continuous assessment. For example, add a GitHub Action step to run trivy
on every push.
Defining and Applying securityContext
A securityContext
sets Linux privileges and filesystem controls for Pods and containers. Enforcing non-root users and read-only filesystems significantly reduces attack surface.
Field | Description |
---|---|
runAsUser | Numeric UID the container must run as |
runAsNonRoot | Ensures the container UID is non-zero |
readOnlyRootFilesystem | Mounts the root filesystem read-only |
allowPrivilegeEscalation | Defaults to false to block setuid binaries and escalations |
Warning
Running containers as root (UID 0) may allow privilege escalation and lateral movement within your cluster. Always set runAsNonRoot: true
unless absolutely necessary.
Example securityContext
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
containers:
- name: app
image: your-registry/secure-app:latest
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- name: tmp-volume
mountPath: /tmp
volumes:
- name: tmp-volume
emptyDir: {}
Additional Kubernetes Security Features
Beyond securityContext
, Kubernetes offers:
- AppArmor & SELinux policies for Mandatory Access Control
- Pod Security Admission & legacy PodSecurityPolicy
- NetworkPolicies to isolate traffic at the pod level
- Audit Logging for forensic analysis
- Air-gapped Cluster Deployments for sensitive environments
- TLS Encryption for API and etcd communication
Demo: Validating Deployments with OPA Conftest
Write a Rego Policy
Createpolicies/run_as_non_root.rego
:package k8s.security deny[msg] { input.kind == "Pod" not input.spec.securityContext.runAsNonRoot msg = "Pods must set securityContext.runAsNonRoot = true" }
Create a Sample Deployment
Save asdeployment.yaml
:apiVersion: apps/v1 kind: Deployment metadata: name: insecure-deployment spec: replicas: 1 template: metadata: labels: app: insecure spec: containers: - name: app image: busybox
Run Conftest
conftest test deployment.yaml --policy policies/
You should see an error indicating the missing
runAsNonRoot
setting.
Links & References
- OPA Conftest
- Kubesec.io
- Trivy by Aqua Security
- Kubernetes Security Best Practices
- Pod Security Admission
Watch Video
Watch video content