Cyber Security Academy · Lesson

Pod Security and Network Policies

Isolating workloads.

Isolating Workloads

Two controls limit what a compromised pod can do: Pod Security restricts a pod's privileges, and Network Policies restrict which pods can talk to each other. Together they contain blast radius.

Pod Security stops escapes to the node.
Network Policies stop lateral movement across pods.

Dangerous Pod Settings

Several pod spec fields dramatically widen risk if allowed.

privileged: true grants near-host access.
hostPID, hostNetwork, hostIPC break namespace isolation.
hostPath volumes mount node directories.
Added capabilities like SYS_ADMIN enable escape.
Running as root (runAsUser: 0).

All lessons in this course

Kubernetes Threat Model
RBAC and Service Accounts
Pod Security and Network Policies
Securing the Supply Chain and Secrets

← Back to Cyber Security Academy