Skip to content

K8S Security

← Back to all decks

39 cards — 🟢 6 easy | 🟡 14 medium | 🔴 6 hard

🟢 Easy (6)

1. True or False? If no network policies are applied to a pod, then no connections to or from it are allowed

Show answer False. By default, pods are non-isolated — all ingress and egress traffic is allowed. Network policies only take effect when explicitly applied, and they use a whitelist model: once any policy selects a pod, all traffic not explicitly allowed is denied.
Gotcha: NetworkPolicy requires a CNI plugin that supports it (Calico, Cilium), not all do.

2. What is PodSecurity and how can it be configured in a Kubernetes cluster?

Show answer * PodSecurity in Kubernetes: PodSecurity refers to policies and configurations that control the security context of pods.
* It includes settings related to running as a privileged user, allowing privileged containers, and more.
* PodSecurityPolicy was removed in K8s 1.25. Use the built-in Pod Security Admission controller with labels (enforce/audit/warn) and Pod Security Standards (privileged/baseline/restricted).

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

3. What is the purpose of an admission controller in Kubernetes, and how can you extend it?

Show answer * Admission Controller in Kubernetes:
* Admission controllers validate and mutate Kubernetes resources before they are persisted.
They enforce policies and security measures.
* Extending Admission Controllers:
* Custom admission controllers can be created to enforce specific organization or application-specific policies.
* Use the Kubernetes admission webhook mechanism to extend admission control.

Remember: Admission controllers intercept API requests. Types: validating and mutating.

Example: LimitRanger, PodSecurity, OPA/Gatekeeper — common admission controllers.

4. What is the difference between Role and ClusterRole objects?

Show answer The difference between them is that a Role is used at a namespace level whereas a ClusterRole is for the entire cluster.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

Remember: Role = namespaced permissions. ClusterRole = cluster-wide permissions. Same syntax, different scope.

Example: Role in namespace dev can grant access to pods in dev only. ClusterRole can grant access to pods in ALL namespaces.

Gotcha: ClusterRoles can be referenced by RoleBindings (scoping them to one namespace) — a powerful pattern for reuse.

5. How to list Service Accounts?

Show answer `kubectl get serviceaccounts`

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

Remember: `kubectl get sa` (short for serviceaccounts). Every namespace has a default SA created automatically.

Gotcha: The default SA may have more permissions than you expect — always audit RoleBindings referencing it.

6. What is Datree? How is it different from Conftest?

Show answer Same as Conftest, it is used for policy testing and enforcement. The difference is that it comes with built-in policies.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

Remember: Datree = Conftest + built-in policy library. Conftest = bring your own policies (Rego). Datree is easier to start; Conftest is more flexible.

Gotcha: Both tools validate YAML before deployment — they are not runtime enforcers like OPA Gatekeeper.

🟡 Medium (14)

1. Explain how Gatekeeper works

Show answer On every request sent to the Kubernetes cluster, Gatekeeper sends the policies and the resources to OPA (Open Policy Agent) to check if it violates any policy. If it does, Gatekeeper will return the policy error message back. If it isn't violates any policy, the request will reach the cluster.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

2. Explain the role of RBAC (Role-Based Access Control) in Kubernetes.

Show answer * RBAC in Kubernetes: RBAC is a Kubernetes feature that defines roles, role bindings, and cluster roles to control access.
* It enables administrators to grant permissions to users, groups, or service accounts based on roles.
* RBAC enhances security by enforcing the principle of least privilege.

Remember: RBAC = 4 objects: Role, ClusterRole, RoleBinding, ClusterRoleBinding. "2+2."

3. What are some use cases for using Network Policies?

Show answer - Security: You want to prevent from everyone to communicate with a certain pod for security reasons
- Controlling network traffic: You would like to deny network flow between two specific nodes

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

Example: Isolate a database pod so only the API pod can reach it: NetworkPolicy with ingress from pods labeled app=api.

Remember: NetworkPolicies are additive — multiple policies on the same pod combine their allowed traffic.

4. What is OPA Gatekeeper and how does it enforce policies in Kubernetes?

Show answer [Gatekeeper docs](https://open-policy-agent.github.io/gatekeeper/website/docs): "Gatekeeper is a validating (mutating TBA) webhook that enforces CRD-based policies executed by Open Policy Agent"

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

5. Explain how Service Accounts are different from User Accounts

Show answer - User accounts are global while Service accounts unique per namespace
- User accounts are meant for humans or client processes while Service accounts are for processes which run in pods

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

6. What is Conftest and how does it validate configuration files?

Show answer Conftest allows you to write tests against structured files. You can think of it as tests library for Kubernetes resources.
It is mostly used in testing environments such as CI pipelines or local hooks.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

7. What happens you create a pod and you DON'T specify a service account?

Show answer The pod is automatically assigned with the default service account (in the namespace where the pod is running).

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

8. Give examples of recommended security measures for Kubernetes.

Show answer Examples of standard Kubernetes security measures include:

* Defining resource quotas
* Support for auditing
* Restriction of etcd access
* Regular security updates to the environment
* Network segmentation
* Definition of strict resource policies
* Continuous scanning for security vulnerabilities
* Using images from authorized repositories
* Implementing RBAC (Role-Based Access Control)
* Using Pod Security Policies or Pod Security Standards

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

9. What is RBAC (Role-Based Access Control) and how is it implemented?

Show answer RBAC in Kubernetes is the mechanism that enables you to configure fine-grained and specific sets of permissions that define how a given user, or group of users, can interact with any Kubernetes object in cluster, or in a specific Namespace of cluster.

Remember: RBAC = 4 objects: Role, ClusterRole, RoleBinding, ClusterRoleBinding. "2+2."

10. Explain Network Policies

Show answer [kubernetes.io](https://kubernetes.io/docs/concepts/services-networking/network-policies): "NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network "entities"..."

In simpler words, Network Policies specify how pods are allowed/disallowed to communicate with each other and/or other network endpoints.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

11. How do you implement encryption for data in transit and at rest in Kubernetes?

Show answer * Encryption in Kubernetes:
* Data in Transit: Use Transport Layer Security (TLS) for encrypting communication between components and pods.
* Data at Rest: Leverage storage providers that support encryption or use tools like dm-crypt for node-level encryption.
* For secrets, use encryption mechanisms provided by Kubernetes, such as sealed secrets.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

12. Explain what are "Service Accounts" and in which scenario would use create/use one

Show answer [Kubernetes.io](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account): "A service account provides an identity for processes that run in a Pod."

An example of when to use one:
You define a pipeline that needs to build and push an image. In order to have sufficient permissions to build an push an image, that pipeline would require a service account with sufficient permissions.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

13. Which Kubernetes concept would you use to control traffic flow at the IP address or port level?

Show answer Network Policies

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

Remember: NetworkPolicy = L3/L4 firewall for pods. Controls IP and port-level traffic between pods and external endpoints.

Gotcha: NetworkPolicies require a CNI plugin that supports them (Calico, Cilium). Flannel does NOT enforce them.

14. Explain "Security Context"

Show answer [kubernetes.io](https://kubernetes.io/docs/tasks/configure-pod-container/security-context): "A security context defines privilege and access control settings for a Pod or Container."

Gotcha: PSP removed in K8s 1.25. Use Pod Security Admission (PSA): enforce, audit, warn.

Remember: PSA levels: Privileged, Baseline, Restricted. Mnemonic: "PBR."

🔴 Hard (6)

1. How does Kubernetes manage security, and what are some best practices?

Show answer **Kubernetes Security Management:**
• Role-Based Access Control (RBAC): Defines and enforces access policies.
• Pod Security Policies: Restricts pod behaviors for security compliance.
• Network Policies: Controls communication between pods.
• Secrets Management: Safely handles sensitive information.
• Container Runtime Security: Ensures container runtime security practices.
• Security Contexts: Defines security settings at the pod or container level.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

2. Explain the concept of Network Policies in Kubernetes.

Show answer * Network Policies: Network Policies in Kubernetes define how pods can communicate with each other.
* They specify rules for ingress and egress traffic based on pod labels.
* Network Policies help enforce security and segmentation within a cluster.
* By defining Network Policies, administrators can control the flow of network traffic between pods.
* This enhances security by restricting communication to only the necessary components, helping prevent unauthorized access or potential attacks within the cluster.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

3. Discuss PodSecurityPolicies in Kubernetes and how they enhance security.

Show answer * PodSecurityPolicies (PSP): PSP is a cluster-level resource that controls security-sensitive aspects of pod specification.
* It defines a set of conditions that a pod must run with.
* PSP enhances security by restricting privilege escalation, host namespace usage, and more.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

4. Discuss the best practices for securing a Kubernetes cluster.

Show answer **Best Practices for Kubernetes Security:**
* Enforce RBAC to control access.
* Regularly update Kubernetes and its components.
* Use network policies for granular control.
* Employ pod security policies for fine-grained security controls.
* Monitor and audit cluster activities for anomalies.
* Implement secure container images and runtime configurations.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

5. Explain the concept of Network Policies in Kubernetes, and provide an example.

Show answer **Network Policies in Kubernetes:**
* Network Policies are specifications that control the communication between pods.
* They define rules to allow or deny traffic based on labels, namespaces, and pod selectors.
* Network Policies enhance security by restricting communication between pods.
```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: deny-all-ingress\nspec:\n podSelector: {}\n ingress: []\n```
* This example denies all incoming traffic to pods within the namespace where the policy is applied.

Remember: K8s security layers: RBAC (who), NetworkPolicy (what), PSA (how), encryption (data).

6. What security best practices do you follow in regards to the Kubernetes cluster?

Show answer * Secure inter-service communication (one way is to use Istio to provide mutual TLS)
* Isolate different resources into separate namespaces based on some logical groups
* Use supported container runtime (if you use Docker then drop it because it's deprecated. You might want to CRI-O as an engine and podman for CLI)
* Test properly changes to the cluster (e.g. consider using Datree to prevent kubernetes misconfigurations)
* Limit who can do what (by using for example OPA gatekeeper) in the cluster
* Use NetworkPolicy to apply network security
* Consider using tools (e.g.