Kubernetes Security Glossary
50+ terms covering Kubernetes security concepts, tools, and CKS certification topics.
4
4C's of Cloud Native Security
A security model with four layers: Code, Container, Cluster, and Cloud. Each layer builds on the security of the layers beneath it.
A
Admission Controller
A piece of code that intercepts requests to the Kubernetes API server before persistence of the object, used to validate or mutate resources. Examples include PodSecurity, OPA Gatekeeper, and Kyverno.
AppArmor
A Linux kernel security module that restricts programs' capabilities with per-program profiles. Can be applied to pods to limit container actions.
Audit Logging
Kubernetes feature that records all requests to the API server, providing a chronological record of activities for security analysis and compliance.
Authentication
The process of verifying the identity of a user or service attempting to access the Kubernetes API. Methods include certificates, tokens, and OIDC.
Authorization
The process of determining whether an authenticated user has permission to perform a requested action. Kubernetes supports RBAC, ABAC, Node, and Webhook modes.
B
Base Image
The foundational container image from which other images are built. Securing base images is critical for supply chain security.
C
Calico
A popular CNI plugin that provides networking and network policy enforcement for Kubernetes clusters.
Certificate Authority (CA)
An entity that issues digital certificates used for authenticating components in a Kubernetes cluster, including the API server, kubelet, and users.
Cilium
An eBPF-based CNI plugin providing advanced networking, observability, and security features including L7 network policies.
CIS Benchmark
Security configuration guidelines published by the Center for Internet Security. The CIS Kubernetes Benchmark provides hardening recommendations for clusters.
CKS
Certified Kubernetes Security Specialist — a CNCF certification validating expertise in securing Kubernetes clusters and cloud-native applications.
CNI (Container Network Interface)
A specification and libraries for configuring network interfaces in Linux containers. CNI plugins like Calico and Cilium implement network policies.
Container Escape
An attack where a process breaks out of container isolation to access the host system or other containers.
Container Runtime
Software responsible for running containers. Examples include containerd, CRI-O, and Docker. Security depends on proper runtime configuration.
Cosign
A tool for signing and verifying container images and other artifacts, supporting keyless signing with OIDC identities.
CSI (Container Storage Interface)
A standard for exposing storage systems to containerized workloads. CSI drivers can introduce security risks if misconfigured.
D
Defense in Depth
A security strategy employing multiple layers of security controls throughout a system, so if one layer fails, others continue to provide protection.
E
eBPF
Extended Berkeley Packet Filter — a Linux kernel technology enabling programs to run in kernel space for networking, observability, and security without modifying kernel code.
Encryption at Rest
Encrypting data stored on disk, including Kubernetes Secrets stored in etcd. Configured via EncryptionConfiguration.
etcd
The distributed key-value store used by Kubernetes to store all cluster data, including Secrets. Securing etcd is critical for cluster security.
F
Falco
A cloud-native runtime security tool that detects abnormal behavior and security threats using system call monitoring and custom rules.
G
Gatekeeper
A Kubernetes-native policy controller built on Open Policy Agent (OPA) that enforces policies via admission control.
H
HostPath
A volume type that mounts a file or directory from the host node's filesystem into a pod. Can be exploited for container escape if unrestricted.
I
Image Scanning
The process of analyzing container images for known vulnerabilities, misconfigurations, and malware before deployment.
Immutable Infrastructure
A practice where deployed infrastructure is never modified; instead, changes are made by deploying new instances. Reduces configuration drift and attack surface.
K
Kube-bench
A tool that checks whether Kubernetes is deployed according to CIS Kubernetes Benchmark security recommendations.
Kubelet
The primary node agent that runs on each node, responsible for managing pods. The Kubelet API must be secured to prevent unauthorized access.
Kyverno
A Kubernetes-native policy engine that validates, mutates, and generates resources using YAML policies without requiring a new language.
L
Least Privilege
A security principle stating that users and processes should have only the minimum permissions necessary to perform their functions.
M
mTLS (Mutual TLS)
A security protocol where both client and server authenticate each other using certificates, commonly used for service-to-service communication.
N
Namespace
A Kubernetes mechanism for isolating groups of resources within a cluster. Namespaces provide a scope for names and can be used with RBAC and network policies for security isolation.
Network Policy
A Kubernetes resource that specifies how pods are allowed to communicate with each other and external endpoints. Requires a CNI that supports network policies.
Node Restriction
An admission controller that limits the Node and Pod objects a kubelet can modify, preventing compromised nodes from affecting other nodes.
O
OPA (Open Policy Agent)
A general-purpose policy engine that enables unified policy enforcement across the stack. Used with Gatekeeper for Kubernetes admission control.
P
Pod Security Admission (PSA)
Built-in Kubernetes admission controller that enforces Pod Security Standards at the namespace level. Replaced PodSecurityPolicy in Kubernetes 1.25+.
Pod Security Standards (PSS)
Three predefined security profiles — Privileged, Baseline, and Restricted — that define different levels of pod security restrictions.
Privileged Container
A container running with elevated privileges equivalent to root on the host. Should be avoided as it enables container escape attacks.
R
RBAC (Role-Based Access Control)
Kubernetes authorization mechanism that regulates access based on the roles of individual users. Uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources.
Runtime Security
Security measures that detect and prevent threats during container execution, including syscall monitoring, behavioral analysis, and threat detection.
S
SBOM (Software Bill of Materials)
A formal record of components and dependencies in software, enabling vulnerability tracking and supply chain transparency.
Seccomp
Secure Computing Mode — a Linux kernel feature that restricts the system calls a process can make, reducing attack surface.
Secret
A Kubernetes object that stores sensitive data like passwords, tokens, and keys. Secrets should be encrypted at rest and accessed via RBAC.
Security Context
Pod and container settings that define privilege and access control, including runAsUser, runAsNonRoot, readOnlyRootFilesystem, and capabilities.
Service Account
An identity for processes running in pods to authenticate to the API server. Each namespace has a default service account.
Service Mesh
A dedicated infrastructure layer for handling service-to-service communication, providing mTLS, observability, and traffic management. Examples include Istio and Linkerd.
Supply Chain Security
Practices that protect software from tampering throughout the development, build, and deployment pipeline, including image signing and vulnerability scanning.
T
Trivy
A comprehensive security scanner for vulnerabilities, misconfigurations, secrets, and SBOM in container images, filesystems, and Kubernetes.
V
Vulnerability
A weakness in software that can be exploited by attackers. Container images should be scanned for known vulnerabilities (CVEs) before deployment.
Z
Zero Trust
A security model that requires strict identity verification for every person and device trying to access resources, regardless of network location.
Looking for more detail on a specific topic?
Browse Full Documentation