These guidelines align with the Kubernetes Certified Security Specialist (CKS) objectives.
- Apply the provided RBAC and NetworkPolicy manifests before deploying.
- Use signed container images and verify SBOMs during admission.
- Limit service accounts to the minimum required permissions.
- RBAC: see
security/policy-notes.mdfor Role/RoleBinding examples. - NetworkPolicies restrict pod egress to Object Storage and required services.
- Admission policies (OPA/Gatekeeper or Kyverno) enforce image signatures.
- Enable audit logging and ship logs to a secure location.
Security is continuous; integrate checks into CI/CD as shown in docs/cicd.md.