Secure your Kubernetes clusters with RBAC, Secrets management, Pod Security Standards, service accounts, and security best practices.
48 recipes available
Configure organizational default permissions in Quay Registry to automatically grant read access to robot accounts on every new repository. LDAP and team patterns.
Configure custom Certificate Authority trust across an OpenShift cluster using proxy config, image config, and automatic CA bundle injection into pods.
Configure custom Certificate Authority trust in both OpenShift and vanilla Kubernetes for private registries, internal services, and corporate PKI.
Configure custom Certificate Authority trust in vanilla Kubernetes using ConfigMap mounts, node-level trust stores, and containerd registry configuration.
Provision GPU tenants with a single Kustomize bundle containing namespace, RBAC, NetworkPolicy, quotas, and HAProxy VIP config.
Isolate GPU workloads across tenants using namespaces, RBAC, NetworkPolicy, and ResourceQuotas on OpenShift and Kubernetes.
Implement deny-by-default NetworkPolicy for GPU tenant namespaces with NCCL port exceptions and DNS egress on Kubernetes.
Secure OpenClaw deployments with Kubernetes NetworkPolicies to restrict egress to messaging APIs, block unauthorized ingress, and isolate the gateway.
Manage API keys, bot tokens, and credentials for OpenClaw on Kubernetes using Kubernetes Secrets, External Secrets Operator, and Sealed Secrets.
Curate a minimal CatalogSource with only approved operators using opm index pruning and file-based catalog filtering for security and compliance.
Replace admin credentials in the OpenShift cluster-wide pull secret with a Quay robot account for secure, auditable container image pulls across all namespaces.
Configure OpenShift to trust a custom Certificate Authority for private container registries using additionalTrustedCA and image.config.openshift.io settings.
Run CIS, NIST, PCI DSS, and HIPAA compliance scans with Red Hat Advanced Cluster Security and automate reporting for audits.
Integrate Red Hat Advanced Cluster Security into CI/CD pipelines with roxctl for image scanning, policy checks, and deployment validation.
Automate Quay robot account token rotation across Kubernetes namespaces with zero-downtime credential updates and validation scripts.
Understand SELinux device relabeling and Security Context Constraints (SCC) requirements for the NVIDIA GPU Operator driver pods on OpenShift.
Replace and activate new TLS certificates tenant by tenant in OpenShift IngressController deployments with verification steps and rollback guidance.
Set up tenant-isolated TLS in OpenShift by assigning a dedicated certificate Secret to each IngressController for multi-tenant routing security.
Implement low-risk secret rotation in OpenShift multi-tenant environments using versioned Secrets and controlled rollouts.
Implement Kubernetes-native policy management using Kyverno to validate, mutate, and generate resources with declarative policies written in YAML
Secure your Kubernetes pods with Security Context settings. Learn to set user/group IDs, file system permissions, capabilities, and privilege escalation.
Encrypt Kubernetes secrets for safe Git storage with Sealed Secrets. Learn to seal, manage, and rotate secrets in GitOps workflows securely.
Securely access cloud services from Kubernetes pods without static credentials. Configure Workload Identity for AWS, Azure, and GCP with IRSA, Workload.
Automate TLS certificate management with cert-manager. Configure issuers, request certificates from Let's Encrypt, and enable automatic renewal.
Scan container images for vulnerabilities before deployment. Integrate Trivy and other tools into CI/CD pipelines and runtime admission control.
Implement container image vulnerability scanning with Trivy, Grype, and other tools. Integrate scanning into CI/CD pipelines and admission control.
Sync secrets from external providers like AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault into Kubernetes using External Secrets Operator.
Enforce Kubernetes policies with Kyverno. Validate, mutate, and generate resources using declarative YAML policies without code.
Enforce security standards with Pod Security Admission. Configure privileged, baseline, and restricted policies at namespace level for cluster-wide.
Best practices for managing secrets in Kubernetes. Learn encryption at rest, secret rotation, and integration with external secret stores.
Secure your Kubernetes workloads with service accounts and role-based access control. Create roles, bindings, and implement least-privilege access.
Secure your Kubernetes workloads using Pod Security Standards (PSS). Learn to enforce Privileged, Baseline, and Restricted policies at the namespace level.
Master Kubernetes RBAC (Role-Based Access Control) to secure your cluster. Learn to create Roles, ClusterRoles, and bind them to ServiceAccounts.
Configure OpenClaw RBAC policies and namespace isolation for multi-tenant Kubernetes clusters with per-team agent access controls.
Deploy and configure Red Hat Advanced Cluster Security (ACS/RHACS) for vulnerability scanning, compliance, network policies, and runtime threat detection.
Create and manage custom security policies in Red Hat Advanced Cluster Security for image scanning, deployment config, and runtime enforcement.
Manage security across multiple Kubernetes clusters with RHACS Central hub, secured cluster registration, and unified policy enforcement.
Use Red Hat Advanced Cluster Security network graph to discover traffic flows, generate NetworkPolicies, and enforce micro-segmentation.
Rotate and update Certificate Authority (CA) certificates in Kubernetes clusters including kube-apiserver, etcd, kubelet, and custom CA bundles for TLS.
Enhance container isolation using gVisor sandbox runtime to add an additional security layer between containers and the host kernel for untrusted workloads
Securely manage secrets with HashiCorp Vault in Kubernetes. Learn to inject secrets into pods using the Vault Agent Injector and CSI Provider.
Configure OpenID Connect (OIDC) authentication to integrate Kubernetes with identity providers like Keycloak, Okta, Azure AD, and Google for secure user.
Build validating and mutating admission webhooks to enforce policies and modify resources. Implement custom admission controllers for Kubernetes.
Set up secure API server access with authentication and authorization. Configure RBAC, API groups, and audit logging for cluster security.
Enable and configure Kubernetes API audit logging. Track who did what, when, and to which resources for security compliance and troubleshooting.
Configure different container runtimes for workloads. Use gVisor, Kata Containers, or other runtimes for enhanced security and isolation.
Master advanced Kubernetes NetworkPolicies for fine-grained traffic control. Learn egress rules, CIDR blocks, namespace isolation, and common security.
Configure Kubernetes secrets encryption at rest using external KMS providers. Learn to set up AWS KMS, GCP KMS, and Azure Key Vault encryption.
Our book includes an entire chapter dedicated to security with dozens more examples.
📖 Explore All Chapters