# Container and Kubernetes Security ![Container and Kubernetes Security](/files/rTWtscfIoINqZsRBYhPd) ## Container and Kubernetes Security > **Section focus:** Container and Kubernetes Security.\ > **Best use:** start with the section map below, then move into the deeper pages that match your role or stack.\ > **Design note:** this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing. ### Start with these pages | Page | Why open it first | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | | [🐳 Dockerfile Security Best Practices](/cloud-kubernetes-and-infrastructure-security/index-1/dockerfile-security-best-practices.md) | High-value page inside **Container and Kubernetes Security**. | | [🐳 Docker Top 10 Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index-1/docker-top-10-misconfigurations.md) | High-value page inside **Container and Kubernetes Security**. | | [☸️ Kubernetes Security Baseline](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-security-baseline.md) | High-value page inside **Container and Kubernetes Security**. | | [☸️ Kubernetes Top 10 Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-top-10-misconfigurations.md) | High-value page inside **Container and Kubernetes Security**. | | [Network Policy Patterns](/cloud-kubernetes-and-infrastructure-security/index-1/network-policy-patterns.md) | High-value page inside **Container and Kubernetes Security**. | | [πŸ‘₯ Kubernetes RBAC and ABAC](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-rbac-and-abac.md) | High-value page inside **Container and Kubernetes Security**. | | [πŸ” Kubernetes API Access Hardening](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-api-access-hardening.md) | High-value page inside **Container and Kubernetes Security**. | | [☸️ Kubernetes Review Map β€” CKS Domains and Modern Attack Paths](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-review-map-cks-domains-and-attack-paths.md) | Best next step when you want a curated review structure and modern attack-path shortlist. | | [πŸ™ OPA and Policy Enforcement](/cloud-kubernetes-and-infrastructure-security/index-1/opa-and-policy-enforcement.md) | High-value page inside **Container and Kubernetes Security**. | | [☸️ Container / Kubernetes / Platform Security β€” Images, Admission, RBAC, Pod Hardening, Isolation, and GitOps / Deployment Plane](https://github.com/D3One/Product-Security-Gitbook/blob/main/09-container-and-kubernetes-security/container-kubernetes-platform-security-images-admission-rbac-pod-hardening-isolation-and-gitops-deployment-plane.md) | High-value page inside **Container and Kubernetes Security**. | | [🧱 Container Isolation β€” seccomp, SELinux, AppArmor, Capabilities, gVisor, and Namespaces](https://github.com/D3One/Product-Security-Gitbook/blob/main/09-container-and-kubernetes-security/container-isolation-seccomp-selinux-apparmor-capabilities-gvisor-and-namespaces.md) | High-value page inside **Container and Kubernetes Security**. | | [☸️ Istio / Linkerd mTLS Operations and Certificate Rotation](/cloud-kubernetes-and-infrastructure-security/index-1/istio-linkerd-mtls-operations-and-certificate-rotation.md) | High-value page for mesh certificate ownership, rotation, and production pitfalls. | | [πŸ“š Kubernetes Security Glossary and Term Map](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-security-glossary-and-term-map.md) | Best when the main glossary feels too broad and you need cloud-native terms in one place. | ### Related sections * [Infrastructure and Cloud Security](/cloud-kubernetes-and-infrastructure-security/index.md) * [Detection and Response](/attack-paths-testing-detection-and-hardening/index.md) *** > **Intro:** This section stays centered on the control surfaces that repeatedly shape cloud-native risk: Dockerfile design, pod security, RBAC, network segmentation, policy enforcement, and runtime investigation. > > **What this page includes** > > * Docker and Kubernetes baselines > * top misconfigurations > * a CKS-aligned review map translated into real platform control ownership and modern attack paths; > * RBAC / ABAC > * cross-links into new runtime, identity, and attack-chain expansions ### ☸️ Core pages in this section * [🐳 Dockerfile Security Best Practices](/cloud-kubernetes-and-infrastructure-security/index-1/dockerfile-security-best-practices.md) * [🐳 Docker Top 10 Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index-1/docker-top-10-misconfigurations.md) * [☸️ Kubernetes Security Baseline](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-security-baseline.md) * [☸️ Kubernetes Top 10 Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-top-10-misconfigurations.md) * [Network Policy Patterns](/cloud-kubernetes-and-infrastructure-security/index-1/network-policy-patterns.md) * [πŸ‘₯ Kubernetes RBAC and ABAC](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-rbac-and-abac.md) * [πŸ” Kubernetes API Access Hardening](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-api-access-hardening.md) * [πŸ™ OPA and Policy Enforcement](/cloud-kubernetes-and-infrastructure-security/index-1/opa-and-policy-enforcement.md) * [🎀 OPA / Gatekeeper Mock Interview Pack](/cloud-kubernetes-and-infrastructure-security/index-1/opa-gatekeeper-interview-pack.md) * [🧩 Kyverno Deep Pages](/cloud-kubernetes-and-infrastructure-security/index-1/kyverno-deep-pages.md) * [🧭 Runtime Investigation Playbook for Kubernetes and Containers](/cloud-kubernetes-and-infrastructure-security/index-1/runtime-investigation-playbook.md) * [πŸ›‘οΈ Trusted Images, Harbor, and Signing](/cloud-kubernetes-and-infrastructure-security/index-1/trusted-images-harbor-and-signing.md) * [🧱 Kubernetes Hardening](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-hardening.md) * [🧰 Kubernetes Security Tooling Map and Standards](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-security-tooling-map-and-standards.md) * [🧱 StackRox Kubernetes Security Platform Guide](/cloud-kubernetes-and-infrastructure-security/index-1/stackrox-kubernetes-security-platform-guide.md) * [🐳☸️ Implementing DevSecOps with Docker and Kubernetes β€” Modernization Map](/cloud-kubernetes-and-infrastructure-security/index-1/implementing-devsecops-with-docker-and-kubernetes-modernization-map.md) * [🐳 AppArmor and Seccomp for Docker](/cloud-kubernetes-and-infrastructure-security/index-1/apparmor-and-seccomp-for-docker.md) * [πŸ—‚οΈ Kubernetes Risks and Measures Catalog](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-risks-and-measures-catalog.md) * [☸️ Kubernetes Review Map β€” CKS Domains and Modern Attack Paths](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-review-map-cks-domains-and-attack-paths.md) ### Cross-links * [πŸ›‘οΈ Security as Policy for Terraform and Infrastructure as Code](/cloud-kubernetes-and-infrastructure-security/index/security-as-policy-for-iac.md) * [Runner Isolation and Trust Boundaries](/devsecops-cicd-and-supply-chain/index-1/runner-isolation-and-trust-boundaries.md) * [🚨 Detection and Response](/attack-paths-testing-detection-and-hardening/index.md) * [πŸͺͺ Identity and Platform Access](/architecture-api-crypto-and-identity/index-2.md) ### Snippets * [Runtime Investigation Command Pack](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/k8s/runtime-investigation-command-pack.md) * [Namespace PSS labels and Kyverno starter](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/k8s/namespace-pss-labels-and-kyverno-starter.yaml) * [StackRox install and CI snippets](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/k8s/stackrox/stackrox-manual-install.sh) * [Advanced pod hardening starter](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/k8s/pod-security-advanced-hardening.yaml) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.