Pod Security Context Explained¶

Introduction¶

This guide explains pod security context explained with practical kubectl commands, realistic output, and production-focused checks. Security and RBAC changes must be small, testable, and namespace-aware.

Why This Matters¶

Overbroad RBAC, privileged pods, writable root filesystems, and unrestricted network access turn small application bugs into cluster risk. Production clusters need least privilege and clear verification.

Example Configuration¶

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
  namespace: app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: web
        image: nginx:1.27
        ports:
        - containerPort: 80

Step-by-Step Configuration¶

kubectl auth can-i get pods --as system:serviceaccount:app:backend -n app
kubectl get role,rolebinding -n app
kubectl describe serviceaccount backend -n app
kubectl get resourcequota,limitrange -n app
kubectl get events -n app --sort-by=.lastTimestamp

Expected output:

yes
role.rbac.authorization.k8s.io/pod-reader   created

Verification¶

kubectl auth can-i get pods -n app --as system:serviceaccount:app:backend
kubectl describe rolebinding -n app
kubectl get events -n app --sort-by=.lastTimestamp

Security Best Practices¶

• Grant verbs only for the resources an application actually needs.
• Prefer namespace-scoped Roles before ClusterRoles.
• Run containers as non-root and drop unnecessary Linux capabilities.
• Protect Secrets with RBAC and avoid printing them in logs.

Common Mistakes¶

• Binding cluster-admin to application service accounts.
• Debugging Forbidden errors without checking the exact service account identity.
• Assuming Pod Security, RBAC, and NetworkPolicy solve the same problem.

Troubleshooting¶

Use kubectl auth can-i with the exact service account, namespace, verb, and resource. Then inspect RoleBindings, admission events, pod security settings, and image pull credentials.

Related Guides¶

• kubectl Auth Can I Examples
• Least Privilege RBAC Kubernetes
• Serviceaccount Explained
• Kubernetes Security Checklist

Summary¶

Kubernetes security works best as layered controls: RBAC for API access, pod security for runtime boundaries, NetworkPolicy for traffic, and careful Secret handling for credentials.