π Kubernetes Security: Pod Security Contexts & Network Policies
In this guide, weβre stepping into real-world Kubernetes security. Not theory β actual hands-on controls that protect your workloads.
π 1. Pod Security Context (Lock Down the Container)
By default, containers can run with more privileges than they should. A Security Context lets you enforce restrictions like:
- Running as a non-root user
- Blocking privilege escalation
- Removing unnecessary Linux capabilities
π File: 01-pod-security-context.yaml
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
# Pod-level security settings
securityContext:
runAsUser: 1000 # Run container as non-root user (UID 1000)
runAsGroup: 3000 # Assign group ID
fsGroup: 2000 # Controls file permissions on mounted volumes
containers:
- name: sec-ctx-demo
image: busybox
# Keep container alive for testing
command: ["sh", "-c", "sleep 3600"]
securityContext:
allowPrivilegeEscalation: false # Prevent gaining extra privileges
capabilities:
drop:
- ALL # Remove ALL Linux capabilities (very important)
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
volumes:
- name: sec-ctx-vol
emptyDir: {} # Temporary storage inside pod
This configuration applies least privilege principles:
- π€ Runs as a non-root user β safer by default
- π« Blocks privilege escalation β stops exploits
- π Drops all capabilities β removes unnecessary power
π Run & Test
kubectl apply -f 01-pod-security-context.yaml
Verify the user inside the container:
kubectl exec security-context-demo -- id
You should see UID 1000 instead of root (UID 0).
Now test privilege restriction:
kubectl exec security-context-demo -- date -s "2024-01-01"
β This should fail β proving privilege escalation is blocked.
π 2. Network Policies (Control Traffic Between Pods)
By default, Kubernetes allows all pods to talk to each other. Thatβs dangerous in production.
π File: 02-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow-frontend
spec:
# Apply policy to API pods
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress # Only control incoming traffic
ingress:
- from:
# Only allow pods with label app=frontend
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
This policy means:
- β Frontend pods β can access API
- β Everything else β blocked
π File: 03-api-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-deployment
spec:
replicas: 1
selector:
matchLabels:
app: api
template:
metadata:
labels:
app: api
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 8080
This creates a simple API service using nginx on port 8080.
π Apply Everything
kubectl apply -f 03-api-deployment.yaml kubectl expose deployment api-deployment --port=8080 kubectl apply -f 02-network-policy.yaml
π§ͺ Test the Security
β Test from unauthorized pod:
kubectl run test-pod --image=busybox --rm -it -- wget -T 2 http://api-deployment:8080
This should fail (timeout) β access denied.
β Test from allowed frontend pod:
kubectl run frontend --labels=app=frontend --image=busybox --rm -it -- wget -T 2 http://api-deployment:8080
This should succeed π
π§ What You Just Achieved
| Feature | What it does |
|---|---|
| Security Context | Runs containers with minimal privileges |
| Network Policy | Controls which pods can communicate |
| Least Privilege | Only allow what is absolutely necessary |
π§Ή Cleanup
kubectl delete pod security-context-demo kubectl delete deployment api-deployment kubectl delete service api-deployment kubectl delete networkpolicy api-allow-frontend
π‘ Final Thoughts
Youβve just implemented two of the most important Kubernetes security layers:
- π Container-level security (Security Context)
- π Network-level security (Network Policies)
These are foundational skills for anyone working in DevOps or cloud engineering.