All field notes

Kubernetes security begins before the cluster

Runtime policy cannot repair every unsafe decision made earlier in the delivery path.

By the time a workload reaches admission control, much of its security posture is already decided. Source permissions shaped the code. The build system chose the dependencies. The pipeline created the artifact. The platform template selected identity, network, and runtime defaults.

Protect the path to the artifact

Require review on deployment code, isolate build identities, pin dependencies, and produce immutable artifacts. Scan images, but also preserve provenance so the cluster can distinguish an approved build from an image that merely has the expected name.

Promote the same digest between environments. Rebuilding for production creates a new artifact and a new set of assumptions.

Make the safe workload easy

Provide maintained templates with a non-root user, read-only filesystem where practical, resource requests and limits, health probes, restricted capabilities, and a dedicated service account. Teams should receive these controls by using the normal platform path.

The platform should produce a defensible workload before policy has to reject an unsafe one.

Keep identities small

A namespace is not an identity boundary by itself. Give each workload a purpose-built service account and limit both Kubernetes RBAC and cloud permissions. Disable automatic token mounting when it is not needed. Prefer short-lived workload identity over static cloud credentials.

Network policy should follow expected communication, not broad namespace membership. Start with the services a workload must reach and add explicit paths rather than assuming internal traffic is trustworthy.

Use admission as the final guardrail

Admission policy is valuable for preventing privileged containers, untrusted registries, missing security context, or unapproved host access. Keep messages specific and test the policy against real delivery workflows before enforcement.

Runtime detection completes the picture. Watch for unexpected process execution, identity use, network destinations, and changes to sensitive resources. Kubernetes security is a delivery-system property, and the cluster is one important layer of it.

Next note: Patching is dependency management