Kubernetes Security: RBAC, Network Policies, and Runtime Protection
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
A default Kubernetes cluster is wide open. Pods talk to any pod, service accounts get more permissions than they need, and secrets sit base64-encoded (not encrypted) in etcd. Fixing that requires deliberate configuration across multiple layers.
RBAC: Stop Using cluster-admin for Everything
Role-Based Access Control is how you restrict what users and service accounts can do. The default service account in every namespace gets mounted into pods automatically — and often has more permissions than the workload needs.
Start here:
- Disable automatic service account token mounting with
automountServiceAccountToken: falsein your pod spec - Create dedicated service accounts per workload with only the permissions that workload requires
- Use Roles (namespace-scoped) over ClusterRoles unless the workload genuinely needs cluster-wide access
- Audit RBAC regularly with
kubectl auth can-i --list --as=system:serviceaccount:namespace:sa-name
Avoid wildcards in RBAC rules. verbs: [""] on resources: [""] is cluster-admin with extra steps.
Network Policies: Default Deny, Then Allow
Without network policies, every pod can reach every other pod in the cluster. A compromised pod in your logging namespace can hit your database pod directly.
Set a default deny policy in every namespace:
“yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all spec: podSelector: {} policyTypes: - Ingress - Egress `
Then create specific allow rules for legitimate traffic. Your CNI plugin must support NetworkPolicy (Calico, Cilium, and Weave do; Flannel alone does not).
Pod Security
Pod Security Standards replaced PodSecurityPolicies in Kubernetes 1.25+. Apply them at the namespace level:
- Restricted: No privilege escalation, non-root, read-only root filesystem. Use this for production workloads.
- Baseline: Prevents known privilege escalations. Minimum for any namespace.
- Privileged: No restrictions. Only for system-level namespaces like kube-system
.
`bash`
kubectl label namespace production \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/warn=restricted
Secrets: Encrypt at Rest
Kubernetes secrets are base64-encoded by default — that is encoding, not encryption. Enable encryption at rest in the API server configuration using EncryptionConfiguration`. Better yet, integrate with an external KMS provider (AWS KMS, HashiCorp Vault, Azure Key Vault) so encryption keys never touch the cluster.
Admission Controllers
Admission controllers intercept API requests before objects persist. The built-in ones matter:
- PodSecurity enforces pod security standards
- NodeRestriction limits what kubelets can modify
- AlwaysPullImages forces image pulls to prevent using cached (potentially stale) images
For custom policy, OPA Gatekeeper or Kyverno let you write rules like “no containers from untrusted registries” or “all pods must have resource limits.”
Related Career Paths
Kubernetes security is a core competency for Cloud Security Engineers and DevSecOps engineers. Map out your current proficiency on the skills page and compare against role requirements.
Next Steps
- Take a skills assessment to benchmark your Kubernetes security knowledge
- Plan your certification path — CKS (Certified Kubernetes Security Specialist) is the standard credential
- Practice in a workspace with hands-on Kubernetes security scenarios
- Explore open positions requiring Kubernetes security expertise
- Calculate your market value based on your Kubernetes skill set
Related Guides in This Series
- Docker Security: Hardening Containers from Build to Runtime — HADESS | 2026
- Helm Security: Chart Signing, Repository Safety, and Template Hardening — HADESS | 2026
- Kubernetes Backup: Velero, etcd Snapshots, and Disaster Recovery — HADESS | 2026
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
