Stage 7 · Master
KCSA — Kubernetes & Cloud Native Security Associate
Kubernetes Cluster Component Security (22%)
API server hardening, kubelet security, etcd protection, controller manager, and networking controls.
API Server Security
The API server is the most critical security boundary in Kubernetes. Every operation passes through it. Securing the API server means securing the entire cluster.
- TLS encryption — All API communication must use HTTPS.
- Authentication — Verify who is making the request (certificates, tokens, OIDC).
- Authorization — Verify what they are allowed to do (RBAC, ABAC).
- Admission control — Validate and mutate requests before they are stored.
- Anonymous auth — Disable anonymous access in production.
# Key flags for kube-apiserver
--anonymous-auth=false
--authorization-mode=RBAC,Node
--enable-admission-plugins=NodeRestriction,PodSecurity
--tls-min-version=VersionTLS12
--client-ca-file=/etc/kubernetes/pki/ca.crtThe NodeRestriction admission plugin limits what kubelets can modify. Always enable it to prevent compromised nodes from escalating privileges.
RBAC — Role-Based Access Control
RBAC is the standard authorization mechanism in Kubernetes. It grants permissions through Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings. Follow the principle of least privilege — grant only the minimum permissions required.
| Resource | Scope | Purpose |
|---|---|---|
| Role | Namespace | Permissions within a namespace |
| ClusterRole | Cluster-wide | Cluster-level or non-namespaced resources |
| RoleBinding | Namespace | Binds a Role to subjects in a namespace |
| ClusterRoleBinding | Cluster-wide | Binds a ClusterRole to subjects cluster-wide |
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]This Role allows reading pods and deployments in the production namespace but does not allow create, update, or delete. Always start with read-only access and expand only when needed.
Never bind cluster-admin to users or service accounts unless absolutely necessary. cluster-admin has unrestricted access to every resource in the cluster. Use specific Roles and ClusterRoles instead.
etcd Security
etcd stores all cluster state including Secrets. If an attacker gains access to etcd, they own the cluster. Protect etcd with encryption, authentication, and network isolation.
- Encrypt etcd at rest using EncryptionConfiguration.
- Restrict network access to etcd — only the API server should connect.
- Use client certificate authentication for etcd peers.
- Enable etcd authentication to prevent unauthorized reads.
Kubelet Security
The kubelet runs on every node and manages containers. A compromised kubelet can expose the node, access secrets, and potentially compromise the entire cluster.
- Enable kubelet client certificate authentication.
- Disable anonymous authentication (--anonymous-auth=false).
- Restrict kubelet API access with RBAC.
- Enable NodeRestriction admission plugin.
Controller Manager Security
The controller manager runs reconciliation loops with cluster-wide permissions. It should run with minimal external access and use dedicated service accounts.
Each control plane component should have its own credentials, network segment, and RBAC profile. Compromising one component should not automatically compromise others.
Network Security
By default, every Pod in Kubernetes can communicate with every other Pod. Network Policies are the firewall rules that restrict this. Without Network Policies, your cluster is flat and unprotected.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressThis NetworkPolicy denies all ingress and egress traffic for Pods in the production namespace. You then add specific allow rules for the traffic you need.
Audit Logging
Audit logging records every API request made to the cluster. It provides an audit trail for security investigations, compliance, and debugging. Configure audit policies to capture the right level of detail.
- None — Do not log events at this level.
- Metadata — Log request metadata (user, timestamp, resource).
- Request — Log metadata and request body.
- RequestResponse — Log metadata, request, and response bodies.
Key Commands
kubectl auth can-i --list --as=system:serviceaccount:default:my-sa
kubectl get rolebinding,clusterrolebinding -o wide
kubectl get networkpolicies -A
kubectl get secrets -A --field-selector type=Opaque
kubectl auth can-i create secrets --namespace=productionUse --as to simulate a different user or service account. This is essential for verifying RBAC configurations.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.