DevSecOps - Kubernetes DevOps & Security

DevSecOps Pipeline

Kubernetes Security Concepts

In this guide, we’ll cover critical Kubernetes security concepts, highlight common vulnerabilities in deployments and container images, and show you how to enforce policies using industry-standard tools like OPA Conftest, Kubesec, and Trivy. By the end, you’ll have actionable steps to harden your clusters and CI/CD pipelines.


Table of Contents

  1. Common Kubernetes Vulnerabilities
  2. Scanning and Policy Enforcement
  3. Defining and Applying securityContext
  4. Additional Kubernetes Security Features
  5. Demo: Validating Deployments with OPA Conftest
  6. Links & References

Common Kubernetes Vulnerabilities

Attackers often exploit misconfigurations or unpatched components. Typical risks include:

  • Privileged Containers
  • Images with Known CVEs
  • Excessive RBAC Permissions
  • Unrestricted Network Access
  • Improper Secret Management

Addressing these early in your development lifecycle prevents costly incidents later on.


Scanning and Policy Enforcement

Leverage automated scanners and policy-as-code to detect risks before deployment. Below is a comparison:

ToolUse CaseExample Command
TrivyImage & filesystem CVE scanningtrivy image my-app:latest
KubesecStatic manifest analysiskubesec scan deployment.yaml
OPA ConftestCustom policy checks against YAMLconftest test deployment.yaml --policy policies/

Note

Integrate these tools into your CI pipelines for continuous assessment. For example, add a GitHub Action step to run trivy on every push.


Defining and Applying securityContext

A securityContext sets Linux privileges and filesystem controls for Pods and containers. Enforcing non-root users and read-only filesystems significantly reduces attack surface.

FieldDescription
runAsUserNumeric UID the container must run as
runAsNonRootEnsures the container UID is non-zero
readOnlyRootFilesystemMounts the root filesystem read-only
allowPrivilegeEscalationDefaults to false to block setuid binaries and escalations

Warning

Running containers as root (UID 0) may allow privilege escalation and lateral movement within your cluster. Always set runAsNonRoot: true unless absolutely necessary.

Example securityContext

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsUser: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: true
  containers:
    - name: app
      image: your-registry/secure-app:latest
      securityContext:
        allowPrivilegeEscalation: false
      volumeMounts:
        - name: tmp-volume
          mountPath: /tmp
  volumes:
    - name: tmp-volume
      emptyDir: {}

Additional Kubernetes Security Features

Beyond securityContext, Kubernetes offers:

  • AppArmor & SELinux policies for Mandatory Access Control
  • Pod Security Admission & legacy PodSecurityPolicy
  • NetworkPolicies to isolate traffic at the pod level
  • Audit Logging for forensic analysis
  • Air-gapped Cluster Deployments for sensitive environments
  • TLS Encryption for API and etcd communication

Demo: Validating Deployments with OPA Conftest

  1. Write a Rego Policy
    Create policies/run_as_non_root.rego:

    package k8s.security
    
    deny[msg] {
      input.kind == "Pod"
      not input.spec.securityContext.runAsNonRoot
      msg = "Pods must set securityContext.runAsNonRoot = true"
    }
    
  2. Create a Sample Deployment
    Save as deployment.yaml:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: insecure-deployment
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            app: insecure
        spec:
          containers:
            - name: app
              image: busybox
    
  3. Run Conftest

    conftest test deployment.yaml --policy policies/
    

    You should see an error indicating the missing runAsNonRoot setting.


Watch Video

Watch video content

Previous
Demo OPA Conftest Docker