Security

CIS hardening, secrets encryption, network policies, RBAC.

CIS Hardening

What CIS is

Center for Internet Security benchmark — a hardening checklist for Kubernetes deployments.

Default in K3s

K3s already follows most CIS recommendations: minimal host path mounts, restricted container capabilities, no hostNetwork by default.

Profile

Install with --profile=cis-1.23 to fully comply. Review and apply remaining items manually.

Secrets Encryption

Default

Secrets are stored base64-encoded in etcd/SQLite — readable by anyone with DB access.

Enable encryption

Set --secrets-encryption-key=<key> at install. Or --secrets-encryption true if you want auto-generated keys.

Rotate

Update the config with multiple keys: --secrets-encryption-key=<old>,<new>. Encrypts with new, decrypts with either.

Network Policy

Default

All pods can talk to all pods. NOT what you want for production.

With Calico

Install Calico and define NetworkPolicy resources. Block by default, allow explicitly.

Test

Use netshoot image — start two pods, try to ping between them. Restrict one, see the failure.

Authentication & RBAC

Default

Local CA at /var/lib/rancher/k3s/server/tls. Kubeconfig at /etc/rancher/k3s/k3s.yaml.

External auth

Use OIDC for SSO. --oidc-issuer-url=https://accounts.example.com --oidc-client-id=k3s.

RBAC

Standard Kubernetes RBAC. ClusterRoleBinding, RoleBinding, ServiceAccount. No magic.

Pod Security Standards

Three profiles

Privileged, Baseline, Restricted — restrict capabilities, host paths, privileged containers progressively.

Apply

kubectl label namespace default pod-security.kubernetes.io/enforce=restricted

Audit vs Enforce

Start with audit mode (warnings only), then enforce once violations are fixed.


← Back to Docs IndexInstall Guide →