As Kubernetes adoption grows, securing workloads becomes critical to protect applications and data from unauthorized access, privilege escalation, and lateral movement within the cluster. This post dives deep into Pod Security Policies (PSPs) and network segmentation — foundational mechanisms to harden your Kubernetes environment.

  • PSPs define a set of conditions that pods must comply with to be accepted by the cluster.
  • They control pod security attributes such as running as root, volume usage, host networking, and capabilities.
  • Enforced at admission time via the Kubernetes API server.
  • Require enabling the PodSecurityPolicy admission controller.
  • PSPs integrate with RBAC to specify which users or service accounts can create pods with certain security constraints.

Key PSP controls include:

  • runAsUser: Enforce running containers as non-root users.
  • allowedCapabilities: Restrict Linux capabilities granted to containers.
  • volumes: Limit usage of hostPath, emptyDir, or other volume types.
  • hostNetwork and hostPID: Prevent pods from accessing host network or PID namespaces.
  • readOnlyRootFilesystem: Enforce read-only file systems for containers.

Best Practices for Designing Pod Security Policies

  • Adopt least privilege principle — deny privileged containers unless explicitly needed.
  • Use multiple PSPs for different workload tiers (e.g., system pods, trusted apps, untrusted apps).
  • Combine PSPs with RBAC policies to tightly control who can create which pod types.
  • Regularly audit existing pods for policy violations using tools like kube-bench or kube-hunter.
  • Gradually introduce PSPs in stages to avoid service disruption.

Network Segmentation in Kubernetes

Network segmentation restricts traffic flow between pods, namespaces, and external services to minimize attack surfaces and contain breaches.

Implementing Network Segmentation with Kubernetes Network Policies

  • Kubernetes Network Policies define how pods communicate at the IP address or port level.
  • Enforced by the cluster’s CNI plugin (Calico, Cilium, Weave, etc.).
  • Policies are namespace-scoped and use selectors to specify source and destination pods.
  • Can allow or deny ingress and egress traffic based on labels, ports, and protocols.

Example capabilities:

  • Isolate namespaces by default (deny all ingress/egress).
  • Allow only trusted pods or namespaces to communicate.
  • Restrict access to sensitive components like databases or monitoring.
  • Enforce zero-trust within the cluster network.

Designing Effective Network Policies

  • Start with a deny-all default policy and explicitly whitelist necessary traffic.
  • Use podSelector and namespaceSelector to scope rules accurately.
  • Segment multi-tenant environments by namespace and labels.
  • Monitor policy effectiveness with network observability tools.
  • Test policies in staging to prevent accidental service disruptions.

Complementary Security Measures

  • Combine PSPs and Network Policies with RBAC for comprehensive security control.
  • Use Security Contexts at pod and container level to set user, capabilities, and privilege settings.
  • Enable runtime security tools (Falco, Aqua, Sysdig) to detect suspicious activity.
  • Regularly scan container images for vulnerabilities.
  • Encrypt Kubernetes secrets and use service mesh features for mTLS and policy enforcement.

Challenges and Future Directions

  • PSPs are deprecated in newer Kubernetes versions; consider migrating to Pod Security Admission or third-party policy engines like OPA Gatekeeper or Kyverno.
  • Network policies depend heavily on the underlying CNI plugin capabilities.
  • Continuous monitoring and automated policy enforcement are vital as workloads evolve.

Conclusion

Securing Kubernetes workloads requires a layered approach. Pod Security Policies enforce pod-level security constraints while Network Segmentation limits attack surface by restricting network access. Together, they form a strong foundation to safeguard your cluster in production environments.

Stay vigilant, adopt best practices, and leverage emerging Kubernetes security tools to maintain a resilient and secure cloud-native infrastructure.