Cloud-Native Security
Container Security
- •Base images: UBI or distroless — no full OS images
- •Run as non-root:
runAsNonRoot: true,runAsUser: 65532 - •Read-only filesystem:
readOnlyRootFilesystem: true - •Drop all capabilities:
drop: ["ALL"], add back only what's needed - •No privilege escalation:
allowPrivilegeEscalation: false - •Scan images in CI with
trivyorgrype - •Sign images with
cosignand verify signatures in admission
Secrets Management
- •Never store secrets in git, even encrypted (except Sealed Secrets)
- •Use External Secrets Operator to sync from cloud provider vaults:
- •Azure: Key Vault
- •AWS: Secrets Manager or SSM Parameter Store
- •GCP: Secret Manager
- •Rotate secrets automatically where possible
- •Use workload identity (not static credentials) to access vaults
Authentication and Authorisation
- •Kubernetes: RBAC with least-privilege Roles
- •Cloud: workload identity federation — never long-lived service account keys
- •API auth: OAuth2/OIDC with short-lived tokens
- •Service-to-service: mTLS via service mesh or SPIFFE/SPIRE
Network Security
- •Default deny NetworkPolicies in every namespace
- •Allow only required ingress/egress per service
- •Use service mesh for mTLS between services
- •Egress: use egress gateways to control external access
- •DNS policies to prevent data exfiltration
Supply Chain
- •Pin image digests in production manifests, not tags
- •SBOM generation for all container images
- •Vulnerability scanning in CI and on a schedule
- •Admission policies (Kyverno or Gatekeeper) to enforce:
- •Image source allowlists
- •Signature verification
- •No
latesttags - •Security context requirements
Compliance
- •Pod Security Standards: enforce
restrictedprofile - •Audit logging enabled on API server
- •Resource tagging for cost and ownership tracking
- •Regular CIS benchmark scans (kube-bench)