--- title: K8s Security Policies category: product entity_type: skill price: $15 canonical: https://forgehouse.ai/skills/k8s-security-policies/ lang: en hreflang_alt: https://forgehouse.ai/tr/skiller/k8s-security-policies/ last_updated: 2026-06-20 --- # K8s Security Policies > Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC… A defense-in-depth guide for securing Kubernetes clusters with NetworkPolicy, Pod Security Standards, RBAC, and admission control. It combines network segmentation, least-privilege access, and policy-as-code so a single broken layer never compromises the whole cluster. ## Use cases - Implementing network segmentation with default-deny NetworkPolicies - Enforcing Pod Security Standards at the namespace level - Setting up least-privilege RBAC roles and service accounts - Adding admission control with OPA Gatekeeper or Kyverno - Configuring mTLS and authorization policies with Istio - Meeting CIS Benchmark and NIST compliance requirements ## Benefits - Limit lateral movement so a compromised pod cannot reach the whole cluster - Default to secure by denying traffic and access until explicitly granted - Catch insecure manifests in CI before they ever reach production - Pass compliance audits with mapped CIS and NIST controls ## What’s included - Pod Security Standards labels for privileged, baseline, and restricted namespaces - NetworkPolicy templates for default-deny, allowed flows, and DNS egress - RBAC Role, ClusterRole, and RoleBinding patterns for least privilege - Restricted pod security context with dropped capabilities and read-only filesystem - OPA Gatekeeper constraint template and Istio mTLS plus authorization policy - Troubleshooting commands for NetworkPolicy and RBAC permission checks ## Who it’s for Security and platform engineers hardening production Kubernetes clusters who need network isolation, least-privilege access, and enforced pod security. ## How it runs Being inside the cluster is not an identity. Defense stacks in layers here: restricted Pod Security floors, default-deny networking, least-privilege RBAC, policy-as-code that fails closed, and mesh mTLS on top. 1. Sets the floor with Pod Security Standards at namespace level: restricted enforced for production namespaces via the pod-security.kubernetes.io labels, with warn and audit modes used to teach before blocking. 2. Starts networking from default-deny: a NetworkPolicy that blocks all ingress and egress per namespace, then explicit allows only for what is needed (frontend to backend on one port, DNS to kube-system), so direct frontend-to-database traffic is structurally impossible. 3. Cuts RBAC to least privilege: namespace-scoped Role over ClusterRole, a dedicated ServiceAccount per workload instead of default, wildcard verbs forbidden, and effective permissions proven with kubectl auth can-i rather than assumed. 4. Hardens every pod's runtime: runAsNonRoot, drop ALL capabilities, readOnlyRootFilesystem, no privilege escalation, so a compromised container has nowhere to climb. 5. Enforces policy as code with OPA Gatekeeper or Kyverno: ConstraintTemplates like required labels run in CI before merge (conftest, kyverno apply), and fail closed in the cluster, so a webhook outage blocks creation rather than waving it through. 6. Closes the trust gap with mesh mTLS: PeerAuthentication STRICT plus AuthorizationPolicy bound to service account principals, because being inside the cluster is not an identity. ## FAQ ### We're on managed clusters like EKS and GKE. Do these policies still apply? Yes. NetworkPolicy, Pod Security Standards labels, RBAC, and admission control are native Kubernetes mechanisms and work the same on managed clusters. The one thing to verify is that your CNI supports NetworkPolicy, which managed defaults generally do. ### How does the defense-in-depth actually layer? Four layers stack: default-deny NetworkPolicies cut lateral movement, namespace-level Pod Security Standards block risky pods, least-privilege RBAC narrows access, and OPA Gatekeeper or Kyverno catches insecure manifests in CI before they reach the cluster. One broken layer doesn't compromise the rest. ### Will applying this make my cluster CIS-compliant on its own? No. The policies map to CIS and NIST controls and cover a large share of an audit, but full compliance also requires node hardening, audit logging, and organizational process. This solves the policy layer; the rest stays on your roadmap. ## Price $15, one-time, no subscription. VAT included. Related guide: [How to run a marketing agency with AI automation](https://forgehouse.ai/guides/ai-marketing-agency-automation/)