Skip to content

What are the basics of Kubernetes security (RBAC and network policies)?

Short answer

RBAC controls what identities can do against the Kubernetes API — Roles and ClusterRoles grant verbs on resources, bound to subjects via RoleBindings — and should follow least privilege, avoiding cluster-admin and wildcards. Network policies control pod-to-pod traffic, which is allow-all by default until you apply a default-deny and then explicitly permit required flows. Together they limit blast radius if a pod or token is compromised.

Kubernetes ships open by default — broad permissions and flat networking — so security is something you must add. The two foundational controls are RBAC and network policies, and a strong answer explains both the mechanism and the default that bites people.

RBAC: who can touch the API

Everything in Kubernetes goes through the API server, so controlling API access is paramount.

  • Roles / ClusterRoles define a set of allowed verbs (get, list, create, delete) on resources (pods, secrets). Roles are namespaced; ClusterRoles are cluster-wide.
  • RoleBindings / ClusterRoleBindings attach those roles to subjects — users, groups, or service accounts.
  • Least privilege: avoid binding anything to cluster-admin, avoid wildcard verbs/resources, and give each workload's service account only what it needs. A pod that can read all secrets is a serious escalation path if compromised.

Network policies: who can talk to whom

By default, any pod can reach any other pod — flat, allow-all networking. A compromised pod can scan and pivot freely.

  • Apply a default-deny policy in a namespace, then add explicit ingress/egress rules allowing only the flows your app actually needs (e.g. frontend to backend on one port).
  • Critical caveat: network policies are enforced by the CNI plugin. If your CNI doesn't support them (or you assume a no-op default does), the policy silently does nothing — a common reason a "deny" rule appears ignored.

What interviewers look for

Separating RBAC (API authz) from network policies (traffic segmentation), knowing both defaults (broad RBAC, allow-all networking), and the CNI dependency that makes network policies a no-op without support.

Likely follow-ups

  • Why is pod-to-pod traffic allow-all by default, and how do you flip it to default-deny?
  • What's the risk of binding a service account to cluster-admin?
  • Why might a NetworkPolicy you applied have no effect at all?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.