Kubernetes Privacy Shields

Essential Kubernetes security controls: Secrets encryption, RBAC, Network Policies, and Pod Security Standards for AI workloads.

Syntax

environments-and-security
// Secrets | RBAC | NetworkPolicy | PodSecurity | AI guardrails

Example

environments-and-security
# 1. Namespace with restricted Pod Security Standard
apiVersion: v1
kind: Namespace
metadata:
  name: inference
  labels:
    pod-security.kubernetes.io/enforce: restricted

# 2. Dedicated ServiceAccount per workload
apiVersion: v1
kind: ServiceAccount
metadata:
  name: inference-sa
  namespace: inference

# 3. RBAC Role — least privilege
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-reader
  namespace: inference
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
    resourceNames: ["ai-api-keys"]  # named secret only

# 4. Default-deny Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: inference
spec:
  podSelector: {}
  policyTypes: [Ingress, Egress]

# 5. Secure pod spec
spec:
  serviceAccountName: inference-sa
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: model-server
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
        readOnlyRootFilesystem: true
      # Reference secrets — never embed values in YAML
      env:
        - name: OPENAI_API_KEY
          valueFrom:
            secretKeyRef:
              name: ai-api-keys
              key: openai-api-key