Security Templates
20 production-ready Kubernetes security configurations, organized by domain.
Network Security
Default Deny Network Policy
A zero-trust NetworkPolicy that blocks all ingress and egress traffic by default, forcing explicit allow rules for every traffic flow.
Allow DNS Network Policy
A NetworkPolicy that permits DNS resolution to CoreDNS in kube-system, required when using default-deny policies.
Block Cloud Metadata
NetworkPolicies that block access to the cloud metadata endpoint (169.254.169.254) to prevent SSRF-based IAM credential theft on AWS, GCP, and Azure.
Namespace Isolation
A complete namespace isolation strategy with default-deny ingress, intra-namespace allow, ingress controller access, monitoring exceptions, and egress controls.
Egress Allow Rules
A whitelist-only egress model with six policies: default deny, DNS resolution, HTTPS to approved CIDRs, database access, internal service access, and Kubernetes API access.
Complete 3-Tier Network Policy Set
A production-ready set of 6 NetworkPolicies implementing zero-trust networking for a 3-tier application: default deny, frontend, backend, database, Redis cache, and Prometheus monitoring.
Pod Security
Restricted Pod Security Standards Namespace
A namespace configured with the Restricted Pod Security Standard, the most secure PSS level that blocks privileged pods, host access, and root execution.
Hardened Pod Security Context
A Deployment template with a fully hardened security context including non-root execution, read-only filesystem, dropped capabilities, and seccomp profiles.
Seccomp Profile
Three seccomp options: RuntimeDefault baseline, a custom strict deny-by-default profile, and Security Profiles Operator (SPO) managed profile.
RBAC
Least Privilege RBAC
A namespace-scoped Role and RoleBinding implementing least-privilege access control with read-only permissions for pods.
Secure Service Account
A comprehensive service account security configuration with disabled auto-mount, projected token volumes, imagePullSecrets, and workload identity annotations.
Resource Management
Resource Quotas
Namespace-level ResourceQuota that enforces CPU, memory, and pod count limits to prevent resource exhaustion and DoS attacks.
Limit Range
A LimitRange that sets default CPU and memory requests/limits for containers that do not specify them, preventing over-provisioning.
Pod Disruption Budget
Five PodDisruptionBudget examples covering minAvailable, maxUnavailable, percentage-based scaling, and StatefulSet protection for databases.
Audit & Monitoring
Audit Policy
A comprehensive 16-rule Kubernetes API server audit policy covering secrets access, RBAC changes, exec/attach, authentication, and workload modifications.
Falco Runtime Security Rules
A 7-rule Falco detection ruleset covering shell access, crypto mining, credential theft, privilege escalation, network recon, package installation, and /etc tampering.
Supply Chain
Kyverno Disallow Latest Tag
A Kyverno ClusterPolicy that blocks deployments using the mutable :latest image tag, enforcing explicit versioned tags for all containers.
OPA/Gatekeeper Constraint Templates
Two OPA/Gatekeeper ConstraintTemplates with Rego policies: require resource limits on all containers and disallow privileged containers with privilege escalation.
Kyverno Policy Bundle
A comprehensive bundle of 7 Kyverno ClusterPolicies: resource limits, non-root enforcement, read-only filesystem, host namespace blocking, required labels, privilege escalation denial, and security context mutation.