{
	"id": "79cccb99-fce1-4a12-8adf-7fa946a3af7f",
	"created_at": "2026-04-06T00:11:20.724305Z",
	"updated_at": "2026-04-10T13:11:20.080928Z",
	"deleted_at": null,
	"sha1_hash": "a70e086f6462fe3d8c0e69025007a46c6917ca59",
	"title": "Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61200,
	"plain_text": "Security\r\nArchived: 2026-04-05 13:11:52 UTC\r\nConcepts for keeping your cloud-native workload secure.\r\nThis section of the Kubernetes documentation aims to help you learn to run workloads more securely, and about\r\nthe essential aspects of keeping a Kubernetes cluster secure.\r\nKubernetes is based on a cloud-native architecture, and draws on advice from the CNCF about good practice for\r\ncloud native information security.\r\nRead Cloud Native Security and Kubernetes for the broader context about how to secure your cluster and the\r\napplications that you're running on it.\r\nKubernetes security mechanisms\r\nKubernetes includes several APIs and security controls, as well as ways to define policies that can form part of\r\nhow you manage information security.\r\nControl plane protection\r\nA key security mechanism for any Kubernetes cluster is to control access to the Kubernetes API.\r\nKubernetes expects you to configure and use TLS to provide data encryption in transit within the control plane,\r\nand between the control plane and its clients. You can also enable encryption at rest for the data stored within\r\nKubernetes control plane; this is separate from using encryption at rest for your own workloads' data, which might\r\nalso be a good idea.\r\nSecrets\r\nThe Secret API provides basic protection for configuration values that require confidentiality.\r\nWorkload protection\r\nEnforce Pod security standards to ensure that Pods and their containers are isolated appropriately. You can also use\r\nRuntimeClasses to define custom isolation if you need it.\r\nNetwork policies let you control network traffic between Pods, or between Pods and the network outside your\r\ncluster.\r\nYou can deploy security controls from the wider ecosystem to implement preventative or detective controls around\r\nPods, their containers, and the images that run in them.\r\nAdmission control\r\nhttps://kubernetes.io/docs/concepts/security/overview/\r\nPage 1 of 4\n\nAdmission controllers are plugins that intercept Kubernetes API requests and can validate or mutate the requests\r\nbased on specific fields in the request. Thoughtfully designing these controllers helps to avoid unintended\r\ndisruptions as Kubernetes APIs change across version updates. For design considerations, see Admission\r\nWebhook Good Practices.\r\nAuditing\r\nKubernetes audit logging provides a security-relevant, chronological set of records documenting the sequence of\r\nactions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes\r\nAPI, and by the control plane itself.\r\nCloud provider security\r\nNote: Items on this page refer to vendors external to Kubernetes. The Kubernetes project authors aren't\r\nresponsible for those third-party products or projects. To add a vendor, product or project to this list, read the\r\ncontent guide before submitting a change. More information.\r\nIf you are running a Kubernetes cluster on your own hardware or a different cloud provider, consult your\r\ndocumentation for security best practices. Here are links to some of the popular cloud providers' security\r\ndocumentation:\r\nIaaS Provider Link\r\nAlibaba Cloud https://www.alibabacloud.com/trust-center\r\nAmazon Web Services https://aws.amazon.com/security\r\nGoogle Cloud Platform https://cloud.google.com/security\r\nHuawei Cloud https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety\r\nIBM Cloud https://www.ibm.com/cloud/security\r\nMicrosoft Azure https://docs.microsoft.com/en-us/azure/security/azure-security\r\nOracle Cloud\r\nInfrastructure\r\nhttps://www.oracle.com/security\r\nTencent Cloud\r\nhttps://www.tencentcloud.com/solutions/data-security-and-information-protection\r\nVMware vSphere https://www.vmware.com/solutions/security/hardening-guides\r\nPolicies\r\nYou can define security policies using Kubernetes-native mechanisms, such as NetworkPolicy (declarative control\r\nover network packet filtering) or ValidatingAdmissionPolicy (declarative restrictions on what changes someone\r\nhttps://kubernetes.io/docs/concepts/security/overview/\r\nPage 2 of 4\n\ncan make using the Kubernetes API).\r\nHowever, you can also rely on policy implementations from the wider ecosystem around Kubernetes. Kubernetes\r\nprovides extension mechanisms to let those ecosystem projects implement their own policy controls on source\r\ncode review, container image approval, API access controls, networking, and more.\r\nFor more information about policy mechanisms and Kubernetes, read Policies.\r\nWhat's next\r\nLearn about related Kubernetes security topics:\r\nSecuring your cluster\r\nKnown vulnerabilities in Kubernetes (and links to further information)\r\nData encryption in transit for the control plane\r\nData encryption at rest\r\nControlling Access to the Kubernetes API\r\nNetwork policies for Pods\r\nSecrets in Kubernetes\r\nPod security standards\r\nRuntimeClasses\r\nLearn the context:\r\nCloud Native Security and Kubernetes\r\nGet certified:\r\nCertified Kubernetes Security Specialist certification and official training course.\r\nRead more in this section:\r\nPod Security Standards\r\nPod Security Admission\r\nService Accounts\r\nPod Security Policies\r\nSecurity For Linux Nodes\r\nSecurity For Windows Nodes\r\nControlling Access to the Kubernetes API\r\nRole Based Access Control Good Practices\r\nGood practices for Kubernetes Secrets\r\nMulti-tenancy\r\nHardening Guide - Authentication Mechanisms\r\nHardening Guide - Scheduler Configuration\r\nKubernetes API Server Bypass Risks\r\nLinux kernel security constraints for Pods and containers\r\nhttps://kubernetes.io/docs/concepts/security/overview/\r\nPage 3 of 4\n\nSecurity Checklist\r\nApplication Security Checklist\r\nItems on this page refer to third party products or projects that provide functionality required by Kubernetes. The\r\nKubernetes project authors aren't responsible for those third-party products or projects. See the CNCF website\r\nguidelines for more details.\r\nYou should read the content guide before proposing a change that adds an extra third-party link.\r\nSource: https://kubernetes.io/docs/concepts/security/overview/\r\nhttps://kubernetes.io/docs/concepts/security/overview/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://kubernetes.io/docs/concepts/security/overview/"
	],
	"report_names": [
		"overview"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434280,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a70e086f6462fe3d8c0e69025007a46c6917ca59.pdf",
		"text": "https://archive.orkl.eu/a70e086f6462fe3d8c0e69025007a46c6917ca59.txt",
		"img": "https://archive.orkl.eu/a70e086f6462fe3d8c0e69025007a46c6917ca59.jpg"
	}
}