Chapter 4. Golden Node Images

Steps (simulate outcomes on Minikube)

1. Enforce Pod Security (Restricted) on namespace

   make pss-enforce
   

2. Harden the workload spec (already compatible with your app): In infra/k8s/deployment.yaml under spec.template.spec:

   securityContext:
     runAsNonRoot: true
     seccompProfile: { type: RuntimeDefault }
   containers:
   - name: app
     securityContext:
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
       capabilities: { drop: ["ALL"] }
   

   Apply:

   make k8s-apply && make k8s-verify
   

3. (Optional) Runtime detection

   make falco-install
   sleep 10
   make falco-export   # artifacts/falco-last10m.log
   

Verify

• Try deploying an intentionally “bad” pod (privileged/root) to see enforcement fail (you can reuse your kyverno-bad-apply flow if you prefer a policy-based test).
• Confirm k8s-verify passes for the hardened deployment.

Makefile commands

• Namespace PSA labels: make pss-enforce
• Re-apply manifests: make k8s-apply && make k8s-verify
• Falco: make falco-install → make falco-export

Checklist

• Namespace labeled pod-security: restricted
• Deployment uses non-root, RO rootfs, no privilege escalation, drop ALL caps, seccomp RuntimeDefault
• (Optional) Falco installed and logs captured
• Evidence ZIP contains falco-last10m.log (if used)