A comprehensive hands-on guide to hardening Kubernetes clusters across three security layers. Starts with running kube-bench to establish a CIS Benchmark baseline on a fresh kind cluster, then walks through building least-privilege RBAC policies for a CI pipeline service account, auditing existing permissions with rakkess and rbac-lookup, and enforcing Pod Security Admission at the 'restricted' profile. Covers configuring securityContext fields (runAsNonRoot, readOnlyRootFilesystem, capability dropping, seccomp profiles), compares OPA/Gatekeeper vs Kyverno for policy enforcement, and introduces Falco for eBPF-based runtime threat detection. Real-world breaches (Tesla cryptomining, Capital One, Shopify) are used to motivate each control.
Table of contents
PrerequisitesTable of ContentsThe Kubernetes Threat LandscapeWhat You'll BuildDemo 1: Run a Cluster Security Baseline with kube-benchHow to Configure RBACDemo 2 – Build a Least-Privilege RBAC Policy for a CI PipelineDemo 3 – Audit RBAC with rakkess and rbac-lookupHow to Harden Pod Runtime SecurityDemo 4 – Harden a Pod with securityContextDemo 5 – Deploy Falco and Write a Custom Detection RuleCleanupConclusionSort: