Part 10 Conceptual Complete

Part 10: "Fortress K8s" — RBAC, Network Policies, and Security Best Practices

"Fortress K8s" — RBAC, Network Policies, and Security Best Practices

June 28, 2025 8 min read

The Story So Far…

Alex, a seasoned engineer accustomed to the predictable world of monolithic applications and virtual machines, was finding his footing at NovaCraft. The startup’s fast-paced environment and its reliance on Kubernetes had been a whirlwind education. He had navigated the complexities of deployments, wrestled with storage, and even tamed the wild beast of networking. But just as a sense of comfort began to set in, a new challenge emerged, one that struck a familiar chord of dread and responsibility: a security audit.

An email from the CTO landed in Alex’s inbox, its subject line a stark reminder of the stakes involved: “Urgent: Upcoming Security Audit.” The message was brief and to the point. A third-party security firm would be conducting a full audit of their infrastructure in two weeks. The CTO’s closing words, “Let’s make sure we’re ready,” carried an unspoken weight. Alex knew that while Kubernetes had enabled NovaCraft’s rapid growth, it also presented a new and complex attack surface. The freewheeling days of development were over; it was time to build a fortress.

The Conceptual Deep-Dive: Isolating and Securing a Kingdom

Alex began to think of the Kubernetes cluster as a kingdom. In the early days, the kingdom was a single, open city where anyone could wander anywhere and access anything. This was fine for a small, trusted community, but as the kingdom grew, so did the risks. New citizens (developers), services (applications), and visitors (external traffic) arrived daily. A single rogue actor or a careless mistake could bring the entire kingdom to its knees.

To secure the kingdom, Alex realized he needed to introduce layers of control, much like a medieval city would have walls, gates, and guards. This is where Kubernetes’ security primitives come into play.

Namespaces: The Walled Cities

First, Alex considered Namespaces. He envisioned them as walled cities within the larger kingdom. Each city could house a specific community—for example, the dev city, the staging city, and the prod city. While not a foolproof security boundary on their own, they provide a crucial first layer of logical isolation. Resources within one namespace are not directly accessible from another, preventing accidental or malicious interference. This concept of multi-tenancy is fundamental to managing a complex cluster with multiple teams and applications.

RBAC: The Gatekeepers and Their Keys

Next, Alex turned his attention to Role-Based Access Control (RBAC). If Namespaces are the walled cities, RBAC provides the gatekeepers and the keys. It’s a system for defining who can do what within the kingdom. Instead of granting every citizen a master key, RBAC allows for the creation of specific roles with granular permissions.

Roles and ClusterRoles: A Role is a set of permissions within a specific namespace (a city). For example, a developer-role in the dev namespace might allow creating and deleting Pods but not modifying the city walls (the Namespace itself). A ClusterRole, on the other hand, is a set of permissions that applies to the entire kingdom. This is for powerful roles like a cluster administrator who needs to manage all the cities.
RoleBindings and ClusterRoleBindings: A RoleBinding grants the permissions defined in a Role to a specific user or group of users within a namespace. A ClusterRoleBinding does the same for a ClusterRole, granting permissions across the entire cluster.

ServiceAccounts and Pod Security: The Royal Messengers

Alex then considered how the applications themselves, running in Pods, would interact with the Kubernetes API. This is where ServiceAccounts come in. A ServiceAccount provides an identity for processes that run in a Pod. Think of it as a royal messenger, with a specific set of credentials and permissions. By default, every namespace has a default ServiceAccount, but for better security, it’s wise to create specific ServiceAccounts for each application with the minimum necessary permissions.

Network Policies: The City’s Internal Guards

Even within a walled city, not everyone should be able to enter every building. This is where Network Policies come into play. They act as internal guards, controlling the flow of traffic between Pods within a namespace. By default, all Pods in a namespace can communicate with each other. Network Policies allow you to define rules that specify which Pods can talk to which other Pods. This concept, known as microsegmentation, is a powerful tool for limiting the blast radius of a security breach.

Security Contexts and Pod Security Standards: The Laws of the Land

Finally, Alex looked at Security Contexts and Pod Security Standards. These are the laws of the land, defining what processes are allowed to do on the underlying host machines. A SecurityContext can be set on a Pod or a Container to specify things like the user and group ID to run as, whether to run as a privileged container, and what Linux capabilities to allow. Pod Security Standards are a set of predefined security policies that can be enforced at the namespace level, ensuring that all Pods in that namespace adhere to a certain security baseline.

The Technical Explanation: Under the Hood of Kubernetes Security

With a clear conceptual model in mind, Alex dove into the technical details. He knew that understanding how these security mechanisms worked under the hood was crucial for implementing them effectively.

RBAC in Action

When a user or a ServiceAccount makes a request to the Kubernetes API server, the request goes through a series of authentication and authorization steps. If RBAC is enabled, the API server checks for any RoleBindings or ClusterRoleBindings that apply to the user. It then checks the associated Role or ClusterRole to see if the requested action is allowed on the requested resource. If a matching rule is found, the request is authorized. If not, it’s denied.

Network Policies and CNI

Network Policies are implemented by the Container Network Interface (CNI) plugin. Not all CNI plugins support Network Policies, so it’s important to choose one that does, such as Calico, Cilium, or Weave Net. When a Network Policy is created, the CNI plugin translates the policy into rules that are enforced at the network level, typically using technologies like iptables or eBPF.

Step-by-Step Hands-On: Building Fortress K8s

Now it was time for Alex to put his knowledge into practice. He decided to create a secure environment for a new microservice that the NovaCraft team was developing.

Prerequisites

A running Kubernetes cluster. For local development on macOS, you can use minikube or Docker Desktop.
kubectl installed and configured to connect to your cluster.

1. Create Namespaces

First, Alex created two namespaces: dev and prod.

kubectl create namespace dev
kubectl create namespace prod

2. Set up RBAC

Next, he created a Role for developers in the dev namespace. This role would allow them to manage Pods, Services, and Deployments, but not to modify the namespace itself.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["create", "get", "list", "update", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["create", "get", "list", "update", "delete"]

He applied the role:

kubectl apply -f dev-role.yaml

Then, he created a RoleBinding to grant this role to a hypothetical developer named “jane”.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jane-developer
  namespace: dev
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

He applied the binding:

kubectl apply -f jane-dev-binding.yaml

3. Implement Network Policies

Now, Alex wanted to implement a Network Policy in the prod namespace to restrict traffic to a new api-service. The policy would only allow traffic from the frontend Pods.

First, he created the prod namespace and two deployments, api-service and frontend, with appropriate labels.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-service
  namespace: prod
  labels:
    app: api-service
spec:
  replicas: 1
  selector:
    matchLabels:
      app: api-service
  template:
    metadata:
      labels:
        app: api-service
    spec:
      containers:
            - name: nginx
        image: nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
  namespace: prod
  labels:
    app: frontend
spec:
  replicas: 1
  selector:
    matchLabels:
      app: frontend
  template:
    metadata:
      labels:
        app: frontend
    spec:
      containers:
            - name: busybox
        image: busybox
        command: ["sleep", "3600"]

He applied the deployments:

kubectl apply -f prod-deployments.yaml

Next, he created the Network Policy.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-service-policy
  namespace: prod
spec:
  podSelector:
    matchLabels:
      app: api-service
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
        matchLabels:
          app: frontend

He applied the policy:

kubectl apply -f api-service-policy.yaml

Now, only Pods with the label app: frontend can connect to Pods with the label app: api-service in the prod namespace.

Debugging/Troubleshooting Tips

RBAC Issues: If a user is getting permission denied errors, use kubectl auth can-i to check their permissions. For example: kubectl auth can-i create pods --namespace dev --as jane.
Network Policy Not Working: Ensure your CNI plugin supports Network Policies. You can also use tools like cilium monitor to observe network traffic and debug policy issues.

Key Takeaways

Namespaces provide logical isolation and a first layer of defense.
RBAC is essential for implementing the principle of least privilege.
ServiceAccounts give identities to your applications.
Network Policies enable microsegmentation and control traffic flow between Pods.
Security Contexts and Pod Security Standards harden your Pods and the underlying nodes.

Story Closing + Teaser

As Alex finished implementing the new security measures, he felt a sense of accomplishment. The Kubernetes kingdom was no longer a wide-open city. It was now a fortress, with walls, gates, and guards, all working in concert to protect its valuable assets. The upcoming security audit no longer seemed so daunting. He had laid the foundation for a secure and scalable infrastructure.

But as he closed his laptop for the day, a new thought crossed his mind. What about the secrets? The API keys, the database credentials, the TLS certificates? They were the crown jewels of the kingdom. How could he ensure they were stored and managed securely? The next chapter in his Kubernetes journey was already beginning to unfold.

Series Progress 14/14 parts

0 The Container Odyssey: A Kubernetes Tutorial Series: Season 1 Complete 1 Part 1: "The New Gig" — Why Kubernetes Exists and What Problem It Solves Complete 2 Part 2: "Containers 101" — Docker Fundamentals You Actually Need for K8s Complete 3 Part 3: The First Deploy — Pods, the Atomic Unit of Kubernetes Complete 4 Part 4: "Scaling the Team" — ReplicaSets, Deployments, and Rolling Updates Complete 5 Part 5: "Opening the Doors" — Services, Networking, and Ingress Complete 6 Part 6: "The Config Puzzle" — ConfigMaps, Secrets, and Environment Management Complete 7 Part 7: "Persistent Memories" — Storage, Volumes, and StatefulSets Complete 8 Part 8: The Night Watch — Health Checks, Resource Management, and Observability Complete 9 Part 9: "The Assembly Line" — Jobs, CronJobs, and DaemonSets Complete 9 Part 9: "The Assembly Line" — Jobs, CronJobs, and DaemonSets Complete 10 Part 10: "Fortress K8s" — RBAC, Network Policies, and Security Best Practices Complete 11 Part 11: "The Helm of the Ship" — Helm, Kustomize, and Templating Complete 12 Part 12: "Production Ready" — CI/CD, GitOps, and the Road Ahead Complete