Chapter 5. Checklist

Decide how you’ll enforce at admission and constrain at runtime.

Namespaces & Multitenancy

  • Namespace model: Per team/app/tenant? Is pod-security.kubernetes.io/enforce=restricted applied across namespaces?
  • Separation: Do build/test namespaces differ from runtime namespaces?

RBAC & Service Accounts

  • Least privilege: Do workloads run under dedicated SAs with namespace-scoped Roles only?
  • can-i evidence: Do you record kubectl auth can-i checks in artifacts?

Network Policies

  • Default deny: Is there a cluster-wide default deny for ingress/egress?
  • Allow rules: Have you explicitly allowed app ingress and DNS egress only where needed?

Admission Controls (Kyverno)

  • Deny bad: Which rules are enforced? (no privileged, drop ALL caps, runAsNonRoot, probes, seccomp)
  • Verify good: Are image signatures verified? Is there an org-registry allow-list?

Image Integrity

  • Cosign policy: Which public keys are trusted? How are they rotated?
  • Untrusted images: What’s the response when an image is denied (runbook, alerting)?

Secrets & Config

  • SOPS/age: Are Kubernetes Secrets encrypted in Git? Who can decrypt?
  • External secrets: Any plan to fetch secrets from KMS/secret manager?

Runtime Signals & WAF

  • Falco: Which rules are enabled? Who receives alerts, and where?
  • WAF: Where does WAF sit (ingress controller vs edge)? What attack classes do you block first?

In-Cluster Scanning

  • Trivy Operator: Will you enable it? Who triages CRD reports and how often?