Container & Kubernetes Security¶

Containers and Kubernetes power modern apps — and introduce new attack surface at every layer.

The Container Threat Model (4 C's)¶

Cloud  →  Cluster  →  Container  →  Code

Security at each layer builds on the one outside it. A weakness in any layer can undermine the rest.

Securing Container Images¶

1.Minimal base images — distroless/Alpine shrink attack surface.
2.Scan images for known vulnerabilities (Trivy, Grype) in CI.
3.Pin versions & verify signatures — avoid :latest; sign images (cosign/Sigstore).
4.No secrets in images — inject at runtime via a secrets manager.
5.Run as non-root — set a non-root USER; drop Linux capabilities.
6.Read-only root filesystem where possible.

Runtime Container Security¶

Don't run privileged containers — --privileged ≈ root on the host.
Drop unneeded capabilities; use seccomp/AppArmor profiles.
Set resource limits (prevent noisy-neighbor / DoS).
Runtime detection (Falco) for anomalous container behavior.

Kubernetes Security Essentials¶

Area	Control
API server	The crown jewel — lock down access, enable audit logs
RBAC	Least-privilege roles; avoid `cluster-admin` sprawl
Network Policies	Default-deny pod-to-pod traffic; segment namespaces
Secrets	Encrypt etcd at rest; use external secret stores
Pod Security	Pod Security Standards/admission control (no privileged pods)
Admission control	OPA/Gatekeeper or Kyverno to enforce policy

etcd stores all cluster state and secrets — encrypt it at rest and restrict access tightly. Compromising etcd compromises the whole cluster.

Common Misconfigurations¶

Overly permissive RBAC (cluster-admin for apps).
Exposed dashboard or API server to the internet.
No network policies → flat pod network, easy lateral movement.
Secrets in environment variables or plain manifests.
Containers running as root / privileged.

Supply Chain for Containers¶

Your image is only as trustworthy as everything inside it. Scan, sign, and verify; generate an SBOM (next lesson) so you know exactly what's in each image when the next Log4Shell drops.

Securing Container Images¶

1.Minimal base images — distroless/Alpine shrink attack surface.

2.Scan images for known vulnerabilities (Trivy, Grype) in CI.

3.Pin versions & verify signatures — avoid :latest; sign images (cosign/Sigstore).

4.No secrets in images — inject at runtime via a secrets manager.

5.Run as non-root — set a non-root USER; drop Linux capabilities.

6.Read-only root filesystem where possible.

Kubernetes Security Essentials¶

Area	Control
API server	The crown jewel — lock down access, enable audit logs
RBAC	Least-privilege roles; avoid `cluster-admin` sprawl
Network Policies	Default-deny pod-to-pod traffic; segment namespaces
Secrets	Encrypt etcd at rest; use external secret stores
Pod Security	Pod Security Standards/admission control (no privileged pods)
Admission control	OPA/Gatekeeper or Kyverno to enforce policy

etcd stores all cluster state and secrets — encrypt it at rest and restrict access tightly. Compromising etcd compromises the whole cluster.