Security Policy Language — Kubernetes and Cloud Vocabulary
Learn vocabulary for Kubernetes NetworkPolicy, pod security standards, RBAC policies, least-privilege, deny-by-default, and policy exceptions.
0 / 5 completed
1 / 5
What is a Kubernetes NetworkPolicy in security policy vocabulary?
Kubernetes NetworkPolicy: by default, all pods can communicate with all other pods (allow-all). NetworkPolicy allows you to restrict this: 'only pods with label app=frontend can make egress connections to pods with label app=backend on port 8080.' Requires a CNI plugin that supports NetworkPolicy (Calico, Cilium, Weave). Key vocabulary: podSelector (which pods this policy applies to), ingress rules, egress rules, namespaceSelector, ipBlock.
2 / 5
What are Kubernetes pod security standards (PSS) in policy vocabulary?
Pod Security Standards replaced the deprecated PodSecurityPolicy. Three levels: Privileged (no restrictions — for system workloads), Baseline (prevents known privilege escalations — for most workloads), Restricted (hardened, follows pod hardening best practices — for security-sensitive workloads). Enforced via namespace labels (pod-security.kubernetes.io/enforce: restricted). Key vocabulary: runAsNonRoot, allowPrivilegeEscalation: false, seccompProfile, readOnlyRootFilesystem.
3 / 5
What is 'least-privilege' in RBAC policy vocabulary?
Least-privilege in Kubernetes RBAC vocabulary: 'The payment-service ServiceAccount should have a Role that allows only get and list on Secrets named payment-api-key — not get/list/watch on all Secrets in the namespace.' In practice, over-permissioned service accounts (cluster-admin given to everything) are a common misconfiguration. Tools: kubectl-who-can, rbac-lookup, audit logs. Regular RBAC audits are a compliance requirement.
4 / 5
What is 'deny-by-default' in security policy vocabulary?
Deny-by-default (default-deny / zero-trust posture): start from 'nothing is allowed' and explicitly whitelist what is permitted. Examples: Kubernetes default-deny NetworkPolicy (deny all ingress/egress unless a NetworkPolicy explicitly allows it), OPA policies that default to deny=true and only set deny=false when conditions are met, AWS IAM implicit deny (all actions are denied unless an Allow policy explicitly permits them).
5 / 5
What is a 'policy exception' in security policy vocabulary?
Policy exceptions vocabulary: 'We need to run a legacy container as root (violates pod security restricted profile) until we complete the migration in Q3. Exception approved by security team, tracked in Jira INFRA-4521, expires 2024-09-30.' Exceptions should be: specific (named resource, not 'all services'), time-limited, formally approved, tracked in an exceptions register, and regularly reviewed. Tools like Kyverno support exception resources natively.