In 2018, RedLock's cloud security research team discovered that Tesla's Kubernetes dashboard was exposed to the public internet with no password on it. An attacker had found it, deployed pods inside T

freeCodeCamp is a nonprofit organization offering free online coding courses and programming tutorials, covering topics such as web development, data science, and machine learning. Learners can gain practical coding skills, build real-world projects, and earn certifications to advance their careers in tech.

freeCodeCamp

A comprehensive hands-on guide to hardening Kubernetes clusters across three security layers. Starts with running kube-bench to establish a CIS Benchmark baseline on a fresh kind cluster, then walks through building least-privilege RBAC policies for a CI pipeline service account, auditing existing permissions with rakkess and rbac-lookup, and enforcing Pod Security Admission at the 'restricted' profile. Covers configuring securityContext fields (runAsNonRoot, readOnlyRootFilesystem, capability dropping, seccomp profiles), compares OPA/Gatekeeper vs Kyverno for policy enforcement, and introduces Falco for eBPF-based runtime threat detection. Real-world breaches (Tesla cryptomining, Capital One, Shopify) are used to motivate each control.

How to Secure a Kubernetes Cluster: RBAC, Pod Hardening, and Runtime Protection

Demo 1: Run a Cluster Security Baseline with kube-bench

Demo 2 – Build a Least-Privilege RBAC Policy for a CI Pipeline

Demo 3 – Audit RBAC with rakkess and rbac-lookup

Demo 4 – Harden a Pod with securityContext

Demo 5 – Deploy Falco and Write a Custom Detection Rule