Skill UI

This guide details how to implement Kubernetes Pod Security Standards (PSS) using the Pod Security Admission (PSA) controller. PSS defines three mandatory security levels—Privileged, Baseline, and Restricted—for container workloads. It is essential for enhancing security posture, ensuring compliance, and migrating away from deprecated PodSecurityPolicy (PSP) controls by applying namespace labels and defining compliant pod specifications.

This guide details the implementation of microsegmentation using Akamai Guardicore, enabling organizations to map complex application dependencies, visualize east-west traffic flows, and enforce least-privilege network policies. It is crucial for achieving zero-trust compliance by preventing lateral movement across heterogeneous workloads in data centers, cloud environments, and Kubernetes clusters.

This guide details how to use Kubernetes NetworkPolicies to enforce granular, pod-level network segmentation. It covers establishing default deny rules, defining specific ingress and egress rules for services, and implementing zero-trust microsegmentation. Use this skill to build robust security architecture and prevent lateral movement within a container cluster.

OPA Gatekeeper is a powerful Kubernetes admission controller that enforces policies using Rego rules. It utilizes ConstraintTemplates and Constraints to validate, mutate, or deny API requests at the cluster admission stage. This tool is essential for implementing policy-as-code practices, ensuring that Kubernetes deployments adhere to organizational security standards, compliance requirements, and best practices, such as mandating labels or blocking privileged containers.

Pod Security Admission (PSA) is a built-in Kubernetes admission controller designed to enforce Pod Security Standards (Baseline, Restricted, Privileged) at the namespace level. It serves as a crucial replacement for the deprecated PodSecurityPolicy (PSP), allowing users to implement robust security controls and maintain compliance. By applying specific labels, administrators can set enforcement modes (enforce, audit, warn) to harden container environments against unauthorized privilege escalation and security risks.

This comprehensive guide details the deployment of HashiCorp Vault for robust, centralized secrets management in hybrid and multi-cloud environments. It covers configuring dynamic secret engines for databases (PostgreSQL) and cloud providers (AWS), integrating diverse authentication methods (OIDC, AppRole, Kubernetes), and securely delivering short-lived secrets to Kubernetes workloads via agents. The primary goal is to enforce zero-trust principles by eliminating hardcoded, long-lived credentials from application code and CI/CD pipelines.

A comprehensive tool for auditing container security posture by detecting potential escape vectors. It analyzes Kubernetes Pod specs for dangerous configurations, such as running in privileged mode, dangerous capability assignments (like CAP_SYS_ADMIN), host namespace sharing, and writable hostPath mounts. Ideal for security assessments and incident response to prevent container breakout.

A comprehensive security auditing tool designed to assess a Kubernetes cluster's compliance posture against established CIS benchmarks. It performs deep checks on control plane components (API Server, etcd, Controller Manager), worker nodes, and Role-Based Access Control (RBAC). Use it for proactive security assessments, compliance validation, and hardening throughout the CI/CD lifecycle.

This guide provides a comprehensive methodology for assessing the security posture of Kubernetes etcd clusters. It covers critical areas including encryption at rest (for secrets), TLS transport security, access control validation, secure backup procedures, and network isolation checks, ensuring cluster data integrity and confidentiality.

A comprehensive guide for systematically evaluating Kubernetes cluster security. It simulates advanced attacker techniques against critical components like the API server, etcd, kubelet, RBAC, and network policies, identifying misconfigurations and vulnerabilities. Essential for security auditors, penetration testers, and DevOps teams performing deep cluster security assessments.

Harbor is an open-source container registry designed for robust security and compliance. This guide details the comprehensive workflow for securing your container ecosystem by implementing advanced features such as vulnerability scanning (Trivy), image signing (Notary/Cosign), Role-Based Access Control (RBAC), and content trust policies. Learn how to enforce image provenance and maintain strict access control in Kubernetes environments.

This comprehensive guide outlines the end-to-end security lifecycle for Kubernetes applications deployed via Helm. It covers critical topics such as chart provenance verification (GPG signing), template scanning (using tools like kubesec and checkov), enforcing strict security contexts, managing secrets securely (ExternalSecrets), and defining robust RBAC rules for CI/CD pipelines.