Software Engineering Radio - the podcast for professional software developers SE Radio 678: Chris Love on Kubernetes Security
23 snips
Jul 23, 2025 Chris Love, co-author of Core Kubernetes and a distinguished engineer at Modernize, dives into the nuances of Kubernetes security. He breaks down critical areas like node security, secrets management, and network best practices. Chris shares insights on when to stick with defaults versus customization, and the risks tied to unmanaged clusters. A cautionary tale illustrates the importance of robust security measures, while he highlights advancements in secret management and the use of short-lived credentials for enhanced cloud-native application security.
AI Snips
Chapters
Books
Transcript
Episode notes
Network Policies Versus Service Mesh
- Use network policies for traffic control, and consider service meshes for encrypted intra-cluster communication.
- Limit running additional applications like service meshes to reduce security attack surfaces.
Pod API Access Restriction Advisable
- Do not mount service account tokens by default for pods; use unique service accounts per deployment.
- Restrict pods' API server access to minimize risk and follow least privilege principles.
Enforce Security With Admission Controllers
- Use admission controllers like Caverna to enforce security policies on Kubernetes API calls.
- Screen container images and YAML before deployment and monitor runtime for unauthorized changes.
