Security & RBAC
20 articles from official documentation
Mastering IAM in Kubernetes: Beyond the Basics
Identity and Access Management (IAM) is crucial for securing Kubernetes environments. Understanding concepts like zero-trust and PEP/PDP architectures can significantly enhance your security posture. Dive in to learn how to effectively implement IAM strategies in your clusters.
- →Understand zero-trust principles to enhance security in Kubernetes.
- →Implement PEP/PDP architectures for effective authorization management.
Securing CI/CD in Open Source: Mastering Workflow Control
In the world of open source, controlling who runs what in your CI/CD pipeline is crucial for security. By leveraging a GitHub bot named Ariane, you can ensure that only trusted team members can trigger workflows, mitigating risks associated with untrusted code execution.
- →Implement Ariane to control workflow triggers based on team membership.
- →Configure `allowed-teams` to restrict workflow execution to trusted members.
Inspektor Gadget Security Audit: What You Need to Know
Inspektor Gadget is revolutionizing visibility in Kubernetes clusters, but recent security audits revealed critical vulnerabilities. One such issue involved command injection during image builds, highlighting the importance of secure coding practices.
- →Utilize eBPF to gain real-time insights into Kubernetes clusters without modifying kernel code.
- →Update to version 0.50.1 or later to address critical vulnerabilities like CVE-2026-24905.
Building a Secure Internal Developer Platform with Kubernetes and GitOps
Creating a cloud-native internal developer platform is crucial for modern development teams. By leveraging GitOps and Infrastructure as Code (IaC), you can enforce security and streamline deployments. Learn how to set up a multi-stage delivery workflow that ensures security validation before any deployment.
- →Implement Infrastructure as Code (IaC) to manage your infrastructure efficiently.
- →Use GitOps as the single source of truth for cluster management.
Reconciling Kubernetes CVEs: A Guide to Correcting Vulnerability Records
Kubernetes administrators face the challenge of managing unfixed CVEs effectively. Understanding how to reconcile these records is crucial, especially as all versions will be marked as affected by June 2026. This article dives into the mechanisms and considerations for managing these vulnerabilities in production environments.
- →Understand the role of the kube-apiserver in managing CVEs through admission webhooks.
- →Configure log verbosity with the '--v' parameter to monitor security events effectively.
Why Kubernetes Policy Enforcement Happens Too Late
Kubernetes policy enforcement often comes too late in the development cycle, causing headaches for teams. By shifting policy checks to the pull request stage, you can surface violations as inline annotations, making it easier for developers to address issues early.
- →Implement review-time enforcement to catch policy violations early.
- →Use inline annotations in pull requests for immediate feedback on Kubernetes manifests.
Automating Confidential Containers with Kyverno: A Game Changer for Kubernetes Security
Confidential Containers (CoCo) are crucial for securing workloads in untrusted environments, and automating their infrastructure is key. Kyverno acts as a powerful policy engine to ensure that your CoCo configurations are consistently applied and validated at admission time.
- →Utilize Kyverno to automate the injection of CoCo-related configurations.
- →Define `runtimeClass` to specify the required confidential runtime environment.
Kubernetes v1.36: Why You Should Ditch Service ExternalIPs
Kubernetes v1.36 marks the end of the road for .spec.externalIPs, a feature that once aimed to mimic cloud load balancers in non-cloud environments. This change is driven by security concerns, pushing you to adopt more robust alternatives like LoadBalancer Services or MetalLB.
- →Understand that .spec.externalIPs is deprecated due to security vulnerabilities.
- →Utilize LoadBalancer Services or MetalLB for exposing services in non-cloud environments.
KubeCon + CloudNativeCon Japan 2026: What You Need to Know
KubeCon + CloudNativeCon Japan 2026 is set to be a pivotal event for cloud native enthusiasts. With tracks covering everything from AI innovation to security, this conference will tackle real-world challenges in Kubernetes. Don’t miss the chance to learn from industry leaders and enhance your cloud native strategies.
- →Explore AI + ML innovations in cloud native environments.
- →Understand observability through logs, metrics, and tracing.
Kyverno 1.18: Embrace the Future of Kubernetes Policy Management
Kyverno 1.18 is here, and it’s a game changer for Kubernetes policy management. With the deprecation of ClusterPolicy resources, it's crucial to migrate to newer policy types like ValidatingPolicy and MutatingPolicy. This release also strengthens security around HTTP calls, making your clusters safer.
- →Migrate from ClusterPolicy to ValidatingPolicy, MutatingPolicy, and others to stay current.
- →Configure allow and block lists for HTTP calls to enhance security.
Kubernetes v1.36: Unremovable Admission Policies for Stronger Security
Kubernetes v1.36 introduces a game-changing feature for admission policies that can't be deleted, enhancing security. By leveraging manifest-based admission control, you can enforce policies that remain intact even under aggressive changes.
- →Define admission policies using manifest-based admission control for enhanced security.
- →Use the `staticManifestsDir` field in the AdmissionConfiguration to point to your policy directory.
Securing GitHub Actions: Best Practices for Dependency Management
In a world where CI/CD pipelines are critical, securing your GitHub Actions dependencies is non-negotiable. Pinning versions and enforcing strict permissions can prevent vulnerabilities from third-party actions. Let's dive into how to implement these strategies effectively.
- →Configure GitHub API settings to allow only 'organization-only actions' or 'explicitly named actions'.
- →Pin action versions to prevent unintentional updates that could introduce vulnerabilities.
AI Sandboxing: Kubernetes' Next Frontier
AI sandboxing is revolutionizing how we think about workload isolation in Kubernetes. By eliminating the shared Linux kernel, we can prevent exploits from cascading across workloads. This architectural shift is crucial for securing AI applications in production.
- →Eliminate the shared Linux kernel to prevent cascading exploits across workloads.
- →Implement structural isolation to contain policy failures within individual workloads.
Implementing SPIFFE/SPIRE Authorization on Amazon EKS: A Practical Guide
Unlock secure identity management in your Kubernetes clusters with SPIFFE/SPIRE on Amazon EKS. Discover how to set up nested SPIRE servers for streamlined workload authentication. This guide dives deep into the mechanics and production realities you need to know.
- →Understand SPIFFE as a standard for securely identifying software systems.
- →Utilize nested SPIRE for scalable identity management across multiple clusters.
Kubernetes v1.36: Mastering Fine-Grained Kubelet API Authorization
Kubernetes v1.36 introduces Fine-Grained Kubelet API Authorization, allowing you to enforce least-privilege access control over the kubelet's HTTPS API. This feature enhances security by ensuring that only necessary permissions are granted, reducing the attack surface.
- →Implement least-privilege access by using specific subresources like nodes/metrics and nodes/stats.
- →Utilize SubjectAccessReview for fine-grained authorization checks before falling back to broader permissions.
Kubernetes v1.36: Unlocking Rootless Security with User Namespaces
Kubernetes v1.36 introduces User Namespaces, allowing for 'rootless' security isolation in your workloads. This feature enables efficient UID and GID remapping, enhancing security without the overhead of changing file ownership on disk.
- →Leverage User Namespaces for enhanced security isolation in Kubernetes.
- →Set `hostUsers: false` to opt-out of the host user namespace.
Kubernetes v1.36: Unlocking New Features for Enhanced Control
Kubernetes v1.36 introduces powerful enhancements that elevate cluster management and security. Notably, fine-grained API authorization allows for precise access control over the kubelet's HTTPS API, eliminating the need for overly broad permissions.
- →Implement fine-grained API authorization for better security.
- →Utilize Workload Aware Scheduling to optimize pod management.
Mastering Security Contexts in Kubernetes Pods
Security contexts are essential for controlling access and permissions in Kubernetes. By specifying user IDs and group IDs, you can enforce strict security measures for your containers. This article dives into how to configure these contexts effectively.
- →Specify `runAsUser` to enforce user IDs for all processes in the Pod.
- →Use `allowPrivilegeEscalation` to control privilege levels and enhance security.
Mastering Kubernetes Secrets: Best Practices for Secure Management
Kubernetes Secrets are essential for managing sensitive information like passwords and tokens, but mishandling them can lead to serious security risks. Learn how to effectively use Secrets while avoiding common pitfalls such as relying on base64 encoding for confidentiality.
- →Use Kubernetes Secrets to manage sensitive information like passwords and tokens securely.
- →Configure Secrets to be encrypted at rest to enhance data protection.
Mastering Pod Security Standards in Kubernetes
Pod Security Standards are essential for safeguarding your Kubernetes clusters. They define three policies that dictate how permissive or restrictive your pod configurations can be. Understanding these can prevent privilege escalations and ensure compliance with best practices.
- →Understand the differences between Privileged, Baseline, and Restricted policies.
- →Disallow HostProcess containers in the Baseline policy to prevent privilege escalations.
Unified observability — logs, uptime monitoring, and on-call in one place. Used by 50,000+ engineering teams to ship faster and sleep better.
Try Better Stack free →Get the daily digest
One email. 5 articles. Every morning.
No spam. Unsubscribe anytime.