Kubernetes Privacy Shields
Essential Kubernetes security controls: Secrets encryption, RBAC, Network Policies, and Pod Security Standards for AI workloads.
Syntax
environments-and-security
// Secrets | RBAC | NetworkPolicy | PodSecurity | AI guardrailsExample
environments-and-security
# 1. Namespace with restricted Pod Security Standard
apiVersion: v1
kind: Namespace
metadata:
name: inference
labels:
pod-security.kubernetes.io/enforce: restricted
# 2. Dedicated ServiceAccount per workload
apiVersion: v1
kind: ServiceAccount
metadata:
name: inference-sa
namespace: inference
# 3. RBAC Role — least privilege
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader
namespace: inference
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["ai-api-keys"] # named secret only
# 4. Default-deny Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: inference
spec:
podSelector: {}
policyTypes: [Ingress, Egress]
# 5. Secure pod spec
spec:
serviceAccountName: inference-sa
securityContext:
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: model-server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
# Reference secrets — never embed values in YAML
env:
- name: OPENAI_API_KEY
valueFrom:
secretKeyRef:
name: ai-api-keys
key: openai-api-key