Stage 5 · Platform
Platform Engineering & Multi-Tenancy
Cluster Security
Pod Security Standards, runtime security (Falco), and supply chain (SLSA, cosign).
Defense in Depth
Kubernetes security requires multiple layers: cluster hardening, admission control, runtime protection, and supply chain verification. No single layer is sufficient. Each layer catches different threats and reduces the overall attack surface.
- Cluster hardening — API server security, network policies, RBAC
- Admission control — Pod security, image policies, resource limits
- Runtime protection — Seccomp, AppArmor, Falco monitoring
- Supply chain — Image signing, SBOM verification, provenance
Pod Security Standards
Pod Security Standards (PSS) define three profiles: Privileged (unrestricted), Baseline (minimally restrictive), and Restricted (heavily restricted). Use namespace labels to enforce these profiles. PSS replaces the deprecated PodSecurityPolicy.
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latestenforce rejects non-compliant pods. audit logs violations. warn shows warnings to users. restricted profile requires: non-root user, read-only filesystem, dropping all capabilities, no privileged containers, and seccomp profile.
apiVersion: v1
kind: Pod
metadata:
name: restricted-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: my-app:1.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
limits:
cpu: "500m"
memory: "256Mi"
requests:
cpu: "100m"
memory: "128Mi"
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}This pod satisfies the restricted profile: non-root user, read-only filesystem, all capabilities dropped, seccomp RuntimeDefault, no privilege escalation. The emptyDir /tmp volume provides writable temp space.
Runtime Security (Falco)
Falco monitors running containers for suspicious activity: unexpected network connections, file access, process execution, and system calls. It uses kernel-level auditing (eBPF or kernel module) to detect threats in real-time.
customRules:
detect-crypto-mining: |
- rule: Detect Crypto Mining
desc: Detect crypto mining processes
condition: >
spawned_process and container
and proc.name in (xmrig, minerd, minergate, cpuminer)
output: >
Crypto mining detected
(user=%user.name container=%container.name
image=%container.image.repository proc=%proc.name)
priority: CRITICAL
tags: [crypto, mitre_execution]
detect-shell-in-container: |
- rule: Shell in Container
desc: Detect shell spawned in container
condition: >
spawned_process and container
and proc.name in (bash, sh, zsh, dash)
and not proc.pname in (containerd-shim)
output: >
Shell spawned in container
(user=%user.name container=%container.name
image=%container.image.repository shell=%proc.name)
priority: WARNING
tags: [shell, mitre_execution]Falco rules use a condition syntax to match kernel events. The first rule detects crypto miners. The second detects interactive shells in containers (often used for lateral movement). Rules are deployed as ConfigMaps.
Supply Chain Security
Supply chain security ensures that the software you deploy hasn't been tampered with. It covers image integrity (signing), provenance (build history), and vulnerability scanning. SLSA (Supply-chain Levels for Software Artifacts) defines levels of supply chain security.
# Generate SLSA provenance
cosign attest --predicate provenance.json \
--type slsaprovenance \
ghcr.io/my-org/my-app:1.0.0
# Verify provenance
cosign verify-attestation \
--type slsaprovenance \
--key cosign.pub \
ghcr.io/my-org/my-app:1.0.0SLSA provenance records how the image was built: source repo, build system, build config, and dependencies. Verifying provenance ensures the image was built from the expected source with the expected process.
Image Signing (cosign)
Cosign signs container images to verify their integrity and authenticity. Only images signed by trusted keys can be deployed. This prevents supply chain attacks where attackers push malicious images to your registry.
# Generate key pair
cosign generate-key-pair
# Sign an image
cosign sign --key cosign.key ghcr.io/my-org/my-app:1.0.0
# Verify signature
cosign verify --key cosign.pub ghcr.io/my-org/my-app:1.0.0
# Sign with keyless (Sigstore)
cosign sign ghcr.io/my-org/my-app:1.0.0
# Verify keyless
cosign verify --certificate-identity=user@example.com \
--certificate-oidc-issuer=https://accounts.google.com \
ghcr.io/my-org/my-app:1.0.0Keyless signing uses OIDC tokens from your CI/CD system. Cosign generates a short-lived key pair, signs the image, and stores the signature in the registry. Verification checks the OIDC identity matches your CI/CD system.
Use Kyverno to enforce image signature verification at admission time. Pods using unsigned images are rejected. This prevents untrusted images from running in your cluster, even if someone pushes them to your registry.
Security Audit
# Kubescape — comprehensive security scanning
kubescape scan cluster --severity high,critical
# Trivy — vulnerability scanning
trivy image my-app:1.0 --severity HIGH,CRITICAL
# kube-bench — CIS benchmark checks
kube-bench run --targets master,node
# Check for privileged containers
kubectl get pods --all-namespaces -o json | jq '.items[] |
select(.spec.containers[].securityContext.privileged == true) |
{name: .metadata.name, namespace: .metadata.namespace}'Run these tools regularly: Kubescape for cluster-wide security, Trivy for image vulnerabilities, kube-bench for CIS compliance. Add them to CI/CD pipelines to catch issues before deployment.
Add Trivy to your CI pipeline to scan images before pushing. Use Kyverno to verify signatures at admission. Run Kubescape weekly for cluster-wide compliance. Export results to SIEM for monitoring.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.