KubeKanvas Logo
  • Features
  • Pricing
  • Templates
    • How KubeKanvas works
    • Docs
    • Downloads
    • Blog
    • E-Book
    • Tutorials
  • FAQs
  • Contact
  • Features
  • Pricing
  • Templates
    • How KubeKanvas works
    • Docs
    • Downloads
    • Blog
    • E-Book
    • Tutorials
  • FAQs
  • Contact
Back to Templates

Ultra Secure Kubernetes Pod: Security-Hardened Deployment Template

Tags:
Pod SecuritySecurity through manifest
Created by:
Mahmood
Ultra Secure Kubernetes Pod: Security-Hardened Deployment Template template preview
24 uses
KubeKanvas Logo
Visual Kubernetes cluster design tool that helps you create, manage, and deploy your applications with ease.
Product
  • Features
  • Pricing
  • Templates
Resources
  • Blog
  • Tutorials
Company
  • About Us
  • Contact
  • Terms of Service
  • Privacy Policy
  • Responsible AI Policy
  • Impressum
XGitHubLinkedIn
© 2026 KubeKanvas. All rights reserved.

Hardening a Kubernetes pod against common attack vectors requires configuring security contexts, RBAC, Linux security modules, image policies, resource limits, and secret management together. This template implements the full set of Kubernetes pod security best practices in a single deployable manifest, covering non-root execution, read-only filesystems, seccomp and AppArmor profiles, SELinux labels, least-privilege RBAC, and volume-mounted secrets with restricted permissions.

What's Included

ComponentTypePortRole
ServiceAccountServiceAccount-Minimal-permission identity with API token mounting disabled
Role + RoleBindingRBAC-Least-privilege permissions bound to the ServiceAccount
SecretSecret-Credentials injected as environment variables and volume-mounted files
DeploymentDeployment-Hardened pod with all security controls applied

Architecture Overview

The pod runs as UID 1000 with privilege escalation disabled and a read-only root filesystem backed by temporary writable volumes. A dedicated ServiceAccount with a Role and RoleBinding applies minimal RBAC permissions and disables automatic API token mounting. Sensitive data is injected as environment variables from SecretRefs and as volume-mounted files with 0400 permissions. Seccomp runtime default, AppArmor enforcement, and SELinux multi-level labels provide OS-level confinement. CPU, memory, and ephemeral storage limits prevent resource exhaustion.

Prerequisites

  • A Kubernetes cluster with AppArmor and SELinux support enabled on worker nodes
  • A private container registry with a pinned application image
  • KubeKanvas CLI installed and running on your computer (Optional, if you want to use one-click deployment)

How to Deploy

  1. Click on the button at the top right corner of this page to load the manifest into the editor.
  2. Replace the image reference with your pinned application image from your container registry.
  3. Update the Secret component with your application credentials and sensitive configuration.
  4. Review the Role and RoleBinding to confirm the RBAC permissions match your application's requirements.
  5. Deploy the template to your cluster via the Play button in the top right bar. If you prefer to deploy manually, download the YAML and apply it with kubectl.
  6. Wait for all pods to reach Running status. You can monitor progress in the Release Monitor screen.

How to Test

  1. Verify the pod is running as non-root: kubectl exec -n <namespace> <pod> -- id should return uid=1000.
  2. Confirm the root filesystem is read-only: kubectl exec -n <namespace> <pod> -- touch /test should return a permission denied error.
  3. Check the seccomp profile is applied: kubectl get pod <pod> -n <namespace> -o jsonpath='{.spec.securityContext.seccompProfile}'.
  4. Verify no API token is auto-mounted: kubectl exec -n <namespace> <pod> -- ls /var/run/secrets/kubernetes.io/serviceaccount/ should return empty or not found.

Use Cases

  • Security baseline for new services: Using this template as the starting point for any new Deployment to avoid common pod security misconfigurations.
  • CIS benchmark compliance: Configuring a pod that meets CIS Kubernetes Benchmark requirements for workload-level security controls.
  • Restricted multi-tenant clusters: Running workloads on shared clusters where strict pod isolation between tenants is required at the OS level.
  • Auditable secret handling: Storing all credentials in Kubernetes Secrets with 0400 volume-mount permissions rather than passing them as plaintext environment variables.

Summary

This template configures a Kubernetes pod with the full set of security controls applied at the container, identity, OS, and resource level. For a full walkthrough, read Securing Kubernetes Pods: A Complete Guide to Pod-Level Security Configuration.