Security
CIS hardening, secrets encryption, network policies, RBAC.
CIS Hardening
What CIS is
Center for Internet Security benchmark — a hardening checklist for Kubernetes deployments.
Default in K3s
K3s already follows most CIS recommendations: minimal host path mounts, restricted container capabilities, no hostNetwork by default.
Profile
Install with --profile=cis-1.23 to fully comply. Review and apply remaining items manually.
Secrets Encryption
Default
Secrets are stored base64-encoded in etcd/SQLite — readable by anyone with DB access.
Enable encryption
Set --secrets-encryption-key=<key> at install. Or --secrets-encryption true if you want auto-generated keys.
Rotate
Update the config with multiple keys: --secrets-encryption-key=<old>,<new>. Encrypts with new, decrypts with either.
Network Policy
Default
All pods can talk to all pods. NOT what you want for production.
With Calico
Install Calico and define NetworkPolicy resources. Block by default, allow explicitly.
Test
Use netshoot image — start two pods, try to ping between them. Restrict one, see the failure.
Authentication & RBAC
Default
Local CA at /var/lib/rancher/k3s/server/tls. Kubeconfig at /etc/rancher/k3s/k3s.yaml.
External auth
Use OIDC for SSO. --oidc-issuer-url=https://accounts.example.com --oidc-client-id=k3s.
RBAC
Standard Kubernetes RBAC. ClusterRoleBinding, RoleBinding, ServiceAccount. No magic.
Pod Security Standards
Three profiles
Privileged, Baseline, Restricted — restrict capabilities, host paths, privileged containers progressively.
Apply
kubectl label namespace default pod-security.kubernetes.io/enforce=restricted
Audit vs Enforce
Start with audit mode (warnings only), then enforce once violations are fixed.