Kubernetes YAML security ensures that workloads defined in manifests are deployed with strong security controls, least privilege, proper isolation, safe defaults, and hardened configurations. Because Kubernetes resources are expressed entirely in YAML, mistakes in these files directly translate into insecure clusters, exposed services, or compromised workloads. Securing YAML is one of the most essential parts of IaC security.

Why Kubernetes YAML Security Matters

Kubernetes YAML files define:

• Pods
• Deployments
• Services
• RBAC rules
• Network policies
• Ingress controllers
• Volumes
• Secrets

A single insecure YAML configuration can create:

• Privileged containers
• Host-level access
• Run-as-root workloads
• Public services
• Overly permissive RBAC roles
• No network isolation
• Unencrypted secrets
• Misconfigured storage

Attackers frequently exploit insecure Kubernetes manifests, especially in CI/CD environments.

Key Areas of Kubernetes YAML Security

Pod Security

Every pod should include:

• non-root user
• read-only root filesystem
• restricted Linux capabilities
• seccomp profile
• AppArmor profile

Without these, pods can escalate privileges or escape containers.

Network Security

YAML files must also control networking:

• NetworkPolicies
• Ingress restrictions
• Limited egress
• No wide-open traffic

Without network controls, pods communicate freely, enabling lateral movement.

RBAC Security

YAML defines RBAC roles. Mistakes such as:

rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

give attackers full cluster control.

Secrets Management

YAML often contains:

• plaintext secrets
• unencrypted credentials
• config files with sensitive data

These must never be stored directly in manifests.

Storage Security

Volume configurations can expose host filesystems:

hostPath:
  path: /

This gives near-host access.

Resource Limits

YAML must include CPU and memory limits to prevent DoS attacks and resource starvation.

Common Kubernetes YAML Misconfigurations

Scanners repeatedly find:

• privileged containers
• allowPrivilegeEscalation: true
• runAsUser: 0 (root)
• missing securityContext
• hostNetwork: true
• hostPID or hostIPC enabled
• hostPath mounts
• no resource limits
• service type LoadBalancer for internal apps
• ingresses open to internet
• plaintext secrets
• wildcard RBAC
• missing NetworkPolicy

These vulnerabilities cause real-world cluster compromises.

Tools for Scanning Kubernetes YAML

Trivy Config

Detects misconfigs, secrets, insecure contexts.

Kubeaudit

Deep Kubernetes security analysis.

Kubesec

Scores security level of manifests.

Checkov

Finds YAML misconfigurations, RBAC issues, network risks.

Terrascan

Policy-as-code for Kubernetes YAML.

Polaris

Enforces Kubernetes best practices.

OPA Conftest

Custom policy enforcement for YAML files.

Using multiple scanners greatly increases detection accuracy.

Securing Kubernetes YAML — Key Requirements

Always Run as Non-Root

securityContext:
  runAsNonRoot: true
  runAsUser: 1000

Disable Privilege Escalation

allowPrivilegeEscalation: false

Use Read-Only Filesystem

readOnlyRootFilesystem: true

Drop Dangerous Capabilities

capabilities:
  drop:
    - ALL

Add Seccomp Profile

seccompProfile:
  type: RuntimeDefault

Restrict Host Access

Never use:

• hostPath
• hostNetwork
• hostPID
• hostIPC

Unless absolutely necessary.

Enforce Resource Limits

resources:
  requests:
    cpu: "100m"
    memory: "128Mi"
  limits:
    cpu: "200m"
    memory: "256Mi"

Use NetworkPolicies

Restrict cross-pod communication:

podSelector: {}
policyTypes:
  - Ingress
  - Egress

Avoid Plaintext Secrets

Never do:

env:
  - name: PASSWORD
    value: "admin123"

Instead use:

valueFrom:
  secretKeyRef:
    name: db-secret
    key: password

Full-Length Practical Section

Deep hands-on exercises to master Kubernetes YAML security.

Practical 1: Scan Kubernetes YAML With Trivy

Create insecure pod:

apiVersion: v1
kind: Pod
metadata:
  name: insecure
spec:
  containers:
    - name: app
      image: nginx
      securityContext:
        privileged: true

Scan:

trivy config .

Fix privileged mode.

Practical 2: Scan YAML With Kubeaudit

Run:

kubeaudit all -f k8s/

Find:

• privileged containers
• runAsRoot
• missing securityContext

Fix and repeat scan.

Practical 3: Score YAML With Kubesec

kubesec scan deployment.yaml

Improve score by tightening security.

Practical 4: Add Non-Root User to YAML

Modify:

securityContext:
  runAsNonRoot: true
  runAsUser: 1001

Validate with scans.

Practical 5: Enforce Read-Only Root Filesystem

Add:

readOnlyRootFilesystem: true

Attempt writing inside container to test security.

Practical 6: Add Capability Drop

capabilities:
  drop: ["ALL"]

Verify no privileged capabilities remain.

Practical 7: Add Seccomp Profile

seccompProfile:
  type: RuntimeDefault

Scan with Trivy to confirm compliance.

Practical 8: Detect HostPath Misconfigurations

Create hostPath pod:

hostPath:
  path: /

Scan with Checkov:

checkov -d .

Fix by removing hostPath.

Practical 9: Restrict Host Namespace Exposure

Create YAML with:

hostNetwork: true

Scan with Kubeaudit.
Fix by removing host-level access.

Practical 10: Enforce Resource Limits

Add:

resources:
  requests:
    cpu: "50m"
    memory: "64Mi"
  limits:
    cpu: "100m"
    memory: "128Mi"

Scan again.

Practical 11: Add NetworkPolicy to Restrict Traffic

Create:

kind: NetworkPolicy
policyTypes:
  - Ingress
  - Egress

Test by blocking pod-to-pod communication.

Practical 12: Detect Unencrypted Secrets

Create secret in YAML:

password: "admin123"

Scan with Trivy and Checkov.

Use proper Kubernetes Secrets instead.

Practical 13: Secure RBAC Roles

Create insecure role:

verbs: ["*"]

Scan with Checkov.

Fix with least privilege.

Practical 14: Validate Ingress Security

Create ingress without HTTPS.
Scan with Checkov.
Add TLS configuration.

Practical 15: Enforce OPA Policies With Conftest

Write policy:

deny[msg] {
  input.spec.containers[_].securityContext.runAsNonRoot != true
  msg = "Containers must run as non-root"
}

Run:

conftest test k8s/

Practical 16: Validate Deployment Against Polaris

polaris audit --files k8s/

Fix recommended hardening items.

Practical 17: Enforce Default Seccomp in Cluster

Apply PodSecurity standard:

restricted

Test deployment of unsecure pod (should fail).

Practical 18: Detect Secrets in Environment Variables

Place secret in env section.
Scan with Trivy.
Fix by referencing Kubernetes Secrets.

Practical 19: Audit All Manifests in a Repo

trivy config .
checkov -d .
kubeaudit all -f k8s/

Combine results to get complete coverage.

Practical 20: Build Full Kubernetes YAML Security Architecture

Include:

• Trivy (misconfig + secret + context scanning)
• Checkov (deep security policies)
• Kubeaudit (runtime-focused checks)
• Kubesec (scoring)
• OPA Conftest (custom governance)
• Polaris (best practices enforcement)
• CI pipeline scanning
• Pre-commit hooks
• Secure defaults in templates

This creates complete YAML security governance across all Kubernetes manifests.

Intel Dump

• Kubernetes YAML security prevents misconfigurations from compromising clusters
• Core risks: privileged containers, host access, plaintext secrets, open networking, weak RBAC
• Tools: Trivy, Kubeaudit, Checkov, Kubesec, Terrascan, Polaris, OPA Conftest
• Harden with non-root users, read-only fs, seccomp, dropped capabilities, resource limits, NetworkPolicies
• Practicals cover scanning, RBAC fixes, network isolation, seccomp enforcement, secrets protection, and full YAML security governance system