Container Security21 min read0 views

Kubernetes Security: RBAC, Network Policies, and Pod Security Standards

Complete Kubernetes security guide for 2026. Covers RBAC design patterns (ClusterRole vs Role, service account hardening, least-privilege bindings), Network Policies (Calico, Cilium, default-deny architectures), Pod Security Standards (Baseline, Restricted, migration from PSP), admission controllers (OPA Gatekeeper, Kyverno), API server hardening, etcd encryption, audit logging, and the CIS Kubernetes Benchmark.

David Olowatobi

David Olowatobi

Cloud Security Architect · July 5, 2026

Kubernetes Security: RBAC, Network Policies, and Pod Security Standards

Key Takeaways

  • Kubernetes ships with an open-by-default networking model — every pod can communicate with every other pod across all namespaces without restriction. Network Policies are the only built-in mechanism to implement microsegmentation, and they require a CNI plugin that supports them (Calico, Cilium, or Antrea — the default kubenet does not enforce Network Policies).
  • The most dangerous Kubernetes RBAC misconfiguration is granting cluster-admin to service accounts used by applications. Cluster-admin has full access to every resource in every namespace — a single compromised pod with cluster-admin access gives attacker complete control of the entire cluster.
  • Pod Security Standards replaced PodSecurityPolicies (removed in Kubernetes 1.25) and define three security profiles: Privileged (no restrictions), Baseline (prevents known privilege escalations), and Restricted (follows hardening best practices). Every production namespace should enforce at least Baseline, with Restricted for workloads handling sensitive data.
  • Kubernetes audit logging records every API request to the cluster — who made the request, what resource they accessed, and what action they performed. Without audit logging enabled, you have zero forensic capability to investigate a cluster compromise. It is disabled by default on many managed Kubernetes platforms.
  • Admission controllers are the enforcement mechanism that prevents misconfigured or insecure workloads from being deployed. OPA Gatekeeper and Kyverno are the two leading policy engines — Gatekeeper uses Rego (a purpose-built policy language), while Kyverno uses native Kubernetes YAML (lower learning curve for platform teams).

A default Kubernetes cluster is not secure. The default configuration allows every pod to talk to every other pod, grants broad permissions to service accounts, does not encrypt secrets at rest, and does not enforce any pod security standards. Every one of these defaults must be changed before running production workloads.

Kubernetes security operates at four distinct layers: the API server (authentication, authorization, admission control), the cluster infrastructure (etcd encryption, node security, network segmentation), the workload configuration (pod security contexts, resource limits, service account bindings), and the runtime environment (container security, monitoring, incident response). This guide covers the three most impactful security mechanisms — RBAC, Network Policies, and Pod Security Standards — plus the admission controllers and audit logging that tie them together.

RBAC: Controlling Who Can Do What

Role-Based Access Control (RBAC) is the authorization mechanism that determines which users, groups, and service accounts can perform which actions on which Kubernetes resources. RBAC is enabled by default on all modern Kubernetes versions (1.8+) and all managed platforms (EKS, AKS, GKE).

The RBAC Model

Kubernetes RBAC has four key objects:

ObjectScopePurposeWhen to Use
RoleSingle namespaceDefines a set of permissions (verbs on resources) within one namespaceApplication service accounts, namespace-scoped operators, developer access within specific namespaces
ClusterRoleCluster-wide or all namespacesDefines permissions on cluster-scoped resources or grants namespace permissions across all namespacesPlatform tools (monitoring, logging), cluster-scoped resources (nodes, PVs), aggregated roles
RoleBindingSingle namespaceBinds a Role or ClusterRole to users/groups/service accounts within one namespaceGranting application permissions within its own namespace
ClusterRoleBindingCluster-wideBinds a ClusterRole to users/groups/service accounts across the entire clusterPlatform operators, monitoring tools — use with extreme caution

RBAC Antipatterns That Cause Breaches

These are the RBAC configurations that have led to real-world Kubernetes compromises:

AntipatternWhy It Is DangerousCorrect Pattern
cluster-admin for applicationsA compromised pod can create, modify, or delete any resource in any namespace — including creating new ClusterRoleBindings to maintain persistenceCreate application-specific Roles with only the verbs and resources the application actually needs, scoped to its own namespace
Wildcards in Role rules (verbs: ["*"], resources: ["*"])Equivalent to full access — wildcards include future resources added to the API server. Violates least privilege completelyExplicitly list each verb (get, list, watch, create, update, delete) and each resource (pods, services, configmaps)
Default service account with elevated permissionsIf the default service account in a namespace has permissions, every pod in that namespace inherits them unless explicitly overriddenCreate dedicated service accounts for each application. Set automountServiceAccountToken: false on the default service account
ClusterRoleBinding where RoleBinding would sufficeClusterRoleBinding grants permissions across all namespaces. A monitoring tool in the monitoring namespace can now access secrets in every namespaceUse RoleBinding to grant the ClusterRole in specific namespaces. Use ClusterRoleBinding only when the tool genuinely needs access to all namespaces
Escalation permissions (bind, escalate, impersonate verbs)A user with the bind verb can create RoleBindings that grant more permissions than they have. The escalate verb allows modifying Roles to add new permissions. The impersonate verb allows acting as any other userNever grant bind, escalate, or impersonate to application service accounts. Reserve these for cluster administrators only

Service Account Hardening

Kubernetes automatically mounts a service account token into every pod at /var/run/secrets/kubernetes.io/serviceaccount/token. This token grants API server access with whatever permissions the service account has. If a pod does not need to call the Kubernetes API, this token is an unnecessary credential that an attacker can use for lateral movement.

Hardening steps:

  • Disable auto-mount — set automountServiceAccountToken: false on every service account that does not need API access. Also set it on the pod spec as a defense-in-depth measure.
  • Use bound service account tokens — Kubernetes 1.22+ uses projected volumes for service account tokens with automatic rotation, audience binding, and expiry. These tokens are more secure than the legacy static tokens.
  • One service account per application — never share service accounts between different applications. A security breach in one application should not grant the attacker permissions of a different application.
  • Audit token usage — use Kubernetes audit logs to identify which service accounts are actually making API calls. Remove permissions for service accounts that have tokens but never use them.

Network Policies: Implementing Microsegmentation

By default, Kubernetes allows every pod to communicate with every other pod across all namespaces. There are no network restrictions whatsoever. This means a compromised pod in one namespace can scan and connect to every pod in the cluster — including databases, internal APIs, and control plane components.

Network Policies are the Kubernetes mechanism for implementing microsegmentation. They define which pods can communicate with which other pods, on which ports, using which protocols. Network Policies are deny-by-default once applied — any traffic not explicitly allowed by a Network Policy is blocked.

Critical Prerequisite: CNI Plugin Support

Network Policies are only enforced if your CNI plugin supports them. The default kubenet does not enforce Network Policies — you can create them, but they have no effect. This is the most dangerous Kubernetes networking misconception, because teams believe they have network segmentation when they actually have none.

CNI PluginNetwork Policy SupportExtended FeaturesEnforcement Method
kubenet (default)None — policies are silently ignoredNoneN/A
CalicoFull Kubernetes NetworkPolicy + Calico GlobalNetworkPolicyDNS-based policies, L7 filtering, global policies, host endpoint protectioniptables or eBPF
CiliumFull Kubernetes NetworkPolicy + CiliumNetworkPolicyL7 (HTTP/gRPC/Kafka) filtering, FQDN policies, transparent encryption, Hubble observabilityeBPF
AntreaFull Kubernetes NetworkPolicy + Antrea-specific policiesTiered policy precedence, ClusterNetworkPolicy, multicast supportOVS (Open vSwitch)
Canal (Calico + Flannel)Full Kubernetes NetworkPolicySame as Calico for policy, Flannel for overlay networkingiptables
Kubernetes Network Security — Default vs Network Policies Default: ALL Pods Can Talk to ALL Pods Web Pod API Pod DB Pod Cache Queue No isolation. Attacker moves freely. Compromised Web pod reaches DB directly. Network Policies: Least-Privilege Traffic Web Pod API Pod DB Pod Cache Queue Only allowed flows. Lateral movement blocked. Web only reaches API. API reaches DB. Nothing else.
Default Kubernetes networking allows all pod-to-pod communication. Network Policies implement microsegmentation, restricting traffic to only explicitly allowed flows and blocking lateral movement.

The Default-Deny Architecture

The most important Network Policy pattern is the default-deny policy. This policy blocks all ingress and egress traffic to and from all pods in a namespace. Once applied, you then create specific policies that allow only the traffic flows your application requires.

This is the same principle as a firewall default-deny rule — block everything, then allow only what is needed. Without a default-deny policy, Network Policies are additive — they only add allow rules on top of the default allow-all. With a default-deny policy, they become the only way traffic can flow.

Network Policy Design Patterns

PatternWhat It ControlsExample
Default deny allBlock all traffic in namespace until explicitly allowedApply empty ingress and egress policy selecting all pods in the namespace
Allow same-namespace onlyPods can communicate within their namespace but not across namespacesAllow ingress/egress with namespaceSelector matching own namespace labels
Tier-based isolationFrontend pods only reach API tier, API tier only reaches database tierSeparate policies for each tier with podSelector matching tier labels
DNS egress onlyAllow pods to resolve DNS but block all other egressEgress policy allowing UDP port 53 to kube-dns pods, blocking everything else
External allowlistPods can only reach specific external IPs or CIDR rangesEgress policy with ipBlock specifying allowed external destinations
Cross-namespace service accessAllow specific pods in one namespace to reach specific pods in anotherIngress policy with namespaceSelector and podSelector targeting the source namespace and pod labels

Pod Security Standards: Enforcing Workload Configuration

Pod Security Standards (PSS) define three progressively restrictive security profiles that control which security-sensitive fields can be set in a pod specification. They replaced PodSecurityPolicies, which were removed in Kubernetes 1.25.

The Three Security Levels

LevelPurposeKey RestrictionsUse Case
PrivilegedNo restrictions whatsoeverNone — any pod configuration is allowedSystem namespaces (kube-system) running infrastructure components that genuinely need elevated privileges
BaselinePrevents known privilege escalationsNo privileged containers, no hostNetwork/hostPID/hostIPC, no hostPath volumes, restricted capabilities (no SYS_ADMIN, NET_RAW), restricted seccomp profiles, no procMount controlGeneral workloads — the minimum security standard for production
RestrictedFollows current hardening best practicesEverything in Baseline + must run as non-root, must drop ALL capabilities, must set seccomp profile, read-only root filesystem required, no privilege escalation allowed (allowPrivilegeEscalation: false)Sensitive workloads — applications handling PII, financial data, authentication services

Enforcement Modes

Pod Security Admission supports three enforcement modes that can be combined:

  • enforce — reject pods that violate the policy. The pod is not created.
  • warn — allow the pod but display a warning to the user who created it. Useful for migration and awareness.
  • audit — allow the pod but record the violation in the audit log. Useful for tracking compliance without blocking deployments.

The recommended migration approach: start with warn + audit for all namespaces, review the violations, fix non-compliant workloads, then enable enforce. This prevents breaking existing deployments during rollout.

Admission Controllers: OPA Gatekeeper vs Kyverno

Pod Security Standards provide three fixed security levels. When you need more granular policies — requiring specific labels, enforcing image registries, mandating resource limits, or requiring specific annotations — you need a policy admission controller.

DimensionOPA GatekeeperKyverno
Policy languageRego — a purpose-built declarative policy language. Powerful but has a learning curveNative Kubernetes YAML — policies look like Kubernetes resources. Lower learning curve for platform teams
ArchitectureSeparate OPA engine + Gatekeeper controller. Policies compiled and cached.Single controller. Policies are Kubernetes CRDs processed directly.
Policy typesValidation (reject non-compliant resources)Validation, mutation (modify resources to comply), generation (create resources automatically)
Community maturityCNCF graduated (OPA). Large ecosystem of pre-built policies. Used by many enterprisesCNCF incubating. Growing rapidly. Simpler policies attract Kubernetes-native teams
Best forOrganizations with complex multi-cloud policy requirements, teams with Rego experience, centralized policy teamsKubernetes-native teams, organizations that want YAML-based policies, teams that need mutation and generation capabilities

Essential Admission Policies for Production

PolicyWhat It EnforcesWhy It Matters
Trusted registry onlyImages must come from approved registries (your private ECR/GCR/ACR, not Docker Hub)Prevents pulling arbitrary images from public registries. Blocks typosquatting and unauthorized images.
No latest tagImage references must use a specific version tag or digest, not :latestEnsures reproducible deployments and prevents supply chain attacks through tag mutation.
Resource limits requiredAll containers must have CPU and memory requests and limits setPrevents resource exhaustion, enables fair scheduling, and limits blast radius of compromised containers.
Labels requiredAll pods must have specified labels (team, environment, app)Enables Network Policy targeting, cost allocation, and incident response (which team owns this pod?).
No privileged containersPods cannot set privileged: true or capabilities beyond the allowlistPrevents container escape through excessive privileges. Overlaps with PSS but provides more granular control.
External secrets onlyPods cannot use environment variables for secrets — must use volume mounts from external secret storesPrevents secret sprawl in pod specs and enforces centralized secret management.

API Server and etcd Security

The Kubernetes API server is the most critical component in the cluster. Every kubectl command, every controller action, every pod scheduling decision goes through the API server. Compromising the API server means compromising the entire cluster.

API Server Hardening Checklist

ControlConfigurationRisk If Missing
Disable anonymous authentication--anonymous-auth=falseUnauthenticated users can make API calls, potentially accessing cluster information
Enable audit logging--audit-policy-file and --audit-log-pathZero forensic capability during incident investigation. Cannot determine what attacker accessed.
Enable RBAC authorization--authorization-mode=RBAC (default on modern clusters)Without RBAC, authorization is not enforced
Disable insecure port--insecure-port=0 (deprecated and removed in 1.24+)The insecure port bypasses all authentication and authorization
Enable admission controllers--enable-admission-plugins includes NodeRestriction, PodSecurity, and othersWithout NodeRestriction, a compromised node can modify any pod in the cluster, not just its own
Restrict profiling--profiling=falseProfiling endpoints expose internal performance data that can reveal cluster architecture

etcd Security

etcd stores all Kubernetes state including Secrets, ConfigMaps, RBAC policies, and pod specifications. An attacker with direct access to etcd can read every secret in the cluster, modify RBAC policies to grant themselves admin access, and alter workload configurations.

Critical etcd hardening controls:

  • Encryption at rest — enable Kubernetes encryption at rest for Secrets using the EncryptionConfiguration API. Without this, Secrets are stored in etcd as base64-encoded plaintext (base64 is encoding, not encryption).
  • TLS for client-server communication — all communication between the API server and etcd must use mutual TLS with client certificates.
  • Network isolation — etcd should only be accessible from API server nodes. Place etcd on a separate network segment or use firewall rules to restrict access.
  • Regular backups — encrypted backups of etcd allow disaster recovery. Store backups in a separate security boundary from the cluster itself.

Kubernetes Audit Logging

Audit logging records every request to the Kubernetes API server — who made the request (user/service account), what resource they accessed, what action they performed (verb), and whether the request was allowed or denied. Without audit logging, you have no forensic capability to investigate a cluster compromise.

Audit Policy Design

Audit policies define which events are recorded and at what detail level. The four audit levels are:

LevelWhat Is LoggedUse For
NoneNothing — event is not recordedHigh-volume, low-risk events (health checks, get status)
MetadataRequest metadata (user, resource, verb, timestamp) but not request or response bodyMost API operations — provides who/what/when without overwhelming log volume
RequestMetadata + request bodyWrite operations on sensitive resources (secrets, RBAC) — shows what was created or modified
RequestResponseMetadata + request body + response bodyCritical operations for forensics — shows both what was requested and what the server returned
Kubernetes Security Model — Four Defense Layers API Server AuthN (OIDC, certs) AuthZ (RBAC) Admission Control Audit Logging TLS everywhere Rate limiting WHO can access Admission Control Pod Security Standards OPA / Kyverno Image verification Resource requirements Label enforcement Registry allowlist WHAT can be deployed Workload Security Network Policies SecurityContext Service Accounts Secret management Resource limits Node affinity/taints HOW it runs Runtime Falco/Tetragon Drift detection Behavior monitor Incident response Forensics DETECT threats
The four layers of Kubernetes security form a defense-in-depth model: the API server controls access, admission controllers gate deployments, workload security configures runtime restrictions, and runtime monitoring detects active threats.

CIS Kubernetes Benchmark Implementation

The CIS Kubernetes Benchmark defines security best practices across control plane components, worker nodes, policies, and managed services. The benchmark contains 200+ checks organized into sections for the API server, etcd, controller manager, scheduler, worker nodes, and policies.

Automated Compliance with kube-bench

kube-bench is an open-source tool that automates CIS Benchmark checks for Kubernetes clusters. It runs the applicable checks based on your Kubernetes version and cluster type (self-managed or managed service) and produces a scored compliance report.

Key benchmark sections and target compliance:

SectionAreaChecksTargetCommon Failures
1Control Plane ComponentsAPI Server, Controller Manager, Scheduler config90%+Anonymous auth enabled, profiling enabled, audit logging missing
2etcdEncryption, TLS, access controls95%+Encryption at rest not enabled, client cert auth not enforced
3Control Plane ConfigurationRBAC, service account, admission controllers85%+PSS not enforced, no admission controller beyond defaults
4Worker Nodeskubelet config, file permissions90%+Anonymous kubelet auth, read-only port enabled, file perms too open
5PoliciesRBAC, Network Policies, Secrets, Pods80%+No network policies, secrets not encrypted, wildcard RBAC rules

For managed Kubernetes services (EKS, AKS, GKE), many control plane checks are managed by the cloud provider. Focus your audit effort on sections 3 (control plane configuration), 4 (worker nodes), and 5 (policies) — these are the areas you directly control.

Putting It Together: The Kubernetes Security Maturity Path

Security is not deployed all at once. Here is the recommended sequence for bringing a Kubernetes cluster from default configuration to production-hardened:

PhaseFocusActionsTimeline
1 — FoundationAuthentication and AuthorizationEnable OIDC authentication, configure RBAC with least-privilege roles, disable anonymous auth, harden service accounts, enable audit loggingWeek 1-2
2 — NetworkMicrosegmentationDeploy a CNI that supports Network Policies (Calico/Cilium), implement default-deny in all namespaces, create specific allow policies per application tierWeek 3-4
3 — WorkloadPod SecurityEnable Pod Security Standards (Baseline enforce, Restricted warn), deploy admission controller (Gatekeeper/Kyverno), enforce image policiesWeek 5-6
4 — DataSecrets and EncryptionEnable etcd encryption at rest, deploy external secrets manager, rotate service account tokens, enable TLS for all internal communicationWeek 7-8
5 — MonitoringDetection and ResponseDeploy Falco or commercial runtime security, configure audit log pipeline, run kube-bench and remediate findings, establish incident response playbookWeek 9-10

Each phase builds on the previous one. Do not skip to monitoring before implementing RBAC and network segmentation — you will generate massive alert volumes from normal traffic that should have been blocked at a lower layer. The goal is prevention first (RBAC, Network Policies, PSS), detection second (audit logging, runtime security), and response third (incident playbooks, forensic capture).

Frequently Asked Questions

A Role grants permissions within a single namespace. A ClusterRole grants permissions either across all namespaces or to cluster-scoped resources (nodes, persistent volumes, namespaces themselves). Use Roles for application service accounts that only need access within their own namespace. Use ClusterRoles only for platform components that genuinely need cross-namespace access (monitoring tools, log collectors, cluster operators). The common mistake is using ClusterRoles for everything because they are simpler to configure — this violates least privilege because a compromised pod in one namespace gains access to resources in all namespaces.

David Olowatobi

David Olowatobi

Cloud Security Architect

Network & Cloud Security

David is a network security engineer and cloud security architect with seven years of experience securing enterprise infrastructure. He holds deep expertise in AWS, Azure, and GCP security architecture, having designed and hardened cloud environments for Fortune 500 companies. His focus is on delivering practical, scalable security solutions that protect businesses without sacrificing performance.

You Might Also Like

Docker Security Best Practices: Hardening Containers in Production
Container Security20 min read

Docker Security Best Practices: Hardening Containers in Production

Field-tested Docker hardening guide for 2026. Covers minimal base images, rootless containers, seccomp and AppArmor profiles, Docker Content Trust, build-time security (multi-stage builds, secret handling, layer optimization), runtime protections (read-only filesystems, resource limits, capability dropping), Docker Bench for Security scoring, and a complete CIS Docker Benchmark implementation checklist.

David Olowatobi
David Olowatobi

June 15, 2026

0
Free Newsletter

Stay Ahead of Cyber Threats

Get weekly cybersecurity insights and practical tips. No spam, just actionable advice to keep you safe.