Security Overview

Kubernetes security in the MATIH platform is implemented across multiple layers: pod security contexts for container-level isolation, secrets management for credential protection, cert-manager for TLS certificate automation, and RBAC for access control. Together these layers enforce defense-in-depth for the entire platform deployment.

Security Layers

Layer	Component	Scope
Container	Security Contexts	Pod and container runtime restrictions
Secrets	Kubernetes Secrets + External Secrets Operator	Credential storage and rotation
TLS	cert-manager	Certificate provisioning and renewal
Access	RBAC	API server access control
Network	NetworkPolicy	Pod-to-pod communication control

Security Architecture

External Traffic --> TLS Termination (cert-manager) --> NGINX Ingress
                                                            |
                                                     RBAC (who can access)
                                                            |
                                                     NetworkPolicy (what can connect)
                                                            |
                                                     Security Context (how it runs)
                                                            |
                                                     Secrets (credentials access)

Pod Security Standards

The MATIH platform targets the restricted Pod Security Standard with exceptions documented per service:

Standard	Level	Description
Privileged	None	No restrictions (not used)
Baseline	Some services	Prevents known privilege escalations
Restricted	Most services	Heavily restricted, follows best practices

Compliance Requirements

Requirement	Implementation
No root containers	`runAsNonRoot: true` in security contexts
Read-only filesystem	`readOnlyRootFilesystem: true` where possible
No privilege escalation	`allowPrivilegeEscalation: false`
Minimal capabilities	`drop: ["ALL"]` in container capabilities
Encrypted secrets	External Secrets Operator with cloud KMS
TLS everywhere	cert-manager with Let's Encrypt
Least privilege RBAC	Namespace-scoped roles, no cluster-admin for services

Security Scanning

Tool	Purpose	Frequency
Trivy	Container image vulnerability scanning	CI/CD pipeline
kube-bench	CIS Kubernetes benchmark compliance	Weekly
Polaris	Best practice validation	CI/CD pipeline
OPA/Gatekeeper	Policy enforcement	Runtime

Detailed Sections

Section	Content
Security Contexts	Pod and container security settings
Secrets Management	Credential storage, rotation, and access
cert-manager	TLS certificate automation
RBAC	Role-based access control configuration

Cluster Autoscaler Security Contexts