Register for our next webcast - securing containers and Kubernetes with 

StackRox SAVE MY SEAT >

(/)

Guide to Kubernetes Ingress

Network Policies

Viswajith Venugopal (/authors/vvenugopal/) Apr 05, 2019

The container orchestrator war is over, and Kubernetes has won. With companies large and small

rapidly adopting the platform, security has emerged as an important concern – partly because of the

learning curve inherent in understanding any new infrastructure, and partly because of recently

announced vulnerabilities (/post/2019/03/new-kubernetes-security-vulnerabilities-discovered-cve-

2019-1002101-and-cve-2019-9946/).

Kubernetes brings another security dynamic to the table – its defaults are geared towards making it FEATURED POSTS
easy for users to get up and running quickly, as well as being backward compatible with earlier KubeCon 2020 Highlights
and Key Takeaways
releases of Kubernetes that lacked important security features ⧉. Consequently, many important
(/post/2020/11/kubecon-
Kubernetes con gurations are not secure by default ⧉. 2020-highlights-and-key-
takeaways/)
Nov 24, 2020
One important con guration that demands attention from a security perspective is the network

policies ⧉ feature. Network policies specify how groups of pods are allowed to communicate with CKS CNCF Announcement
and Exam Study Tips
each other and other network endpoints. You can think of them as the Kubernetes equivalent of a (/post/2020/11/cks-cncf-
announcement-and-exam-
rewall. study-tips/)
Nov 19, 2020

OpenShift Runtime

How to Set Up Kubernetes Ingress Security Best Practices

(/post/2020/11/openshift-
runtime-security-best-

Networking Policies practices/)

Nov 16, 2020

We lay out here a step-by-step guide on how to set up network policies. The network policy spec ⧉ is What is CNCF’s CKS Exam
and What is Covered?
intricate, and it can be di cult to understand and use correctly. In this guide, we provide (/post/2020/11/what-is-
cncf-certi ed-kubernetes-
recommendations that signi cantly improve security. Users can easily implement these
security-specialist-cks-
recommendations without needing to know the spec in detail. exam-and-what-is-
covered/)
Nov 12, 2020

OpenShift Networking and

Cluster Access Best
/
 Practices
A quick note: this guide focuses just on ingress network policies. When starting out, the biggest
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
(/post/2020/11/openshift-
security gains come from applying ingress policies, so we recommend focusing on them rst, and networking-and-cluster-
access-best-practices/)
then adding egress policies. We discuss egress policies in detail (/post/2020/01/kubernetes-egress-
Nov 10, 2020
(/)
network-policies/) and provide recommendations in our latest post in this series–don’t forget to
OpenShift security best
check it out (/post/2020/01/kubernetes-egress-network-policies/)! practices for K8s cluster
design
(/post/2020/11/openshift-
security-best-practices-
part-1-of-5-cluster-design/)
Nov 03, 2020

Kubernetes security KubeLinter: open source

YAML linter / HELM linter
ebook - tips, tricks, best for K8s
(/post/2020/10/introducing-

practices kubelinter-an-open-
source-linter-for-
kubernetes/)
Download to learn how to secure the software
Oct 28, 2020
supply chain, and harden workloads and the
EKS vs GKE vs AKS -
underlying Kubernetes infrastructure
Evaluating Kubernetes in
the Cloud
(/post/2020/10/eks-vs-gke-
DOWNLOAD NOW vs-aks/)
Oct 01, 2020

Four Container and

Kubernetes Security Risks
You Should Mitigate

Use a network plugin that supports network (/post/2020/10/four-

container-and-kubernetes-
security-risks-you-should-

policies mitigate/)
Oct 01, 2020

First things rst – use a network plugin that actually enforces network policies ⧉. Although Top 5 takeaways from the
Kubernetes always supports operations on the NetworkPolicy resource, simply creating the latest Kubernetes security
report (/post/2020/09/top-
resource without a plugin that implements it will have no e ect. Example plugins include Calico ⧉, 5-takeaways-from-the-
latest-kubernetes-security-
Cilium ⧉, Kube-router ⧉, Romana ⧉ and Weave Net ⧉. report/)
Sep 23, 2020

“Isolate” your pods Kubernetes Architecture

and What It Means for
Security
Each network policy has a podSelector eld, which selects a group of (zero or more) pods. When a (/post/2020/09/kubernetes-
architecture-and-what-it-
pod is selected by a network policy, the network policy is said to apply to it. means-for-security/)
Sep 16, 2020
Each network policy also speci es a list of allowed (ingress and egress) connections. When the
Guide to Kubernetes
network policy is created, all the pods that it applies to are allowed to make or accept the security context & pod
security policy (PSP)
connections listed in it. In other words, a network policy is essentially a list of allowed connections – a (/post/2020/09/guide-to-
kubernetes-security-
connection to or from a pod is allowed if it is permitted by at least one of the network policies that
context-and-security-
apply to the pod. policies/)
Sep 08, 2020

This tale, however, has an important twist: based on everything described so far, one would think
Protecting Kubernetes
that, if no network policies applied to a pod, then no connections to or from it would be permitted. Against MITRE ATT&CK:
Lateral Movement
The opposite, in fact, is true: if no network policies apply to a pod, then all network connections to (/post/2020/09/protecting-
against-kubernetes-
and from it are permitted (unless the connection is forbidden by a network policy applied to the threats-chapter-8-lateral-
movement/)
other peer in the connection.)
Sep 01, 2020

What’s New in Kubernetes

1.19? New Features and
Updates
/
 (/post/2020/08/whats-new-
This behavior relatesRegister
to the for
notion of “isolation”: pods are “isolated” if at least one network policy
our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
in-kubernetes-1-19/)
applies to them; if no policies apply, they are “non-isolated”. Network policies are not enforced on Aug 19, 2020

non-isolated pods. Although somewhat counter-intuitive, this behavior exists to make it easier to get Protecting Kubernetes
(/) Against MITRE ATT&CK:
a cluster up and running – a user who does not understand network policies can run their
Discovery
applications without having to create one. (/post/2020/08/protecting-
against-kubernetes-
threats-chapter-7-
Therefore, we recommend you start by applying a “default-deny-all” network policy. The e ect of the discovery/)

following policy speci cation is to isolate all pods, which means that only connections explicitly listed Aug 13, 2020

by other network policies will be allowed. GKE Monitoring Best

Practices for Better
Security and Operability
(/post/2020/08/gke-
apiVersion: networking.k8s.io/v1 monitoring-best-practices-
for-better-security-and-
kind: NetworkPolicy operability/)

metadata: Aug 12, 2020

name: default-deny-all Guide to GKE Runtime

Security for GCP
spec:
Workloads
podSelector: {} (/post/2020/08/guide-to-
gke-runtime-security-for-
policyTypes: gcp-workloads/)
- Ingress Aug 06, 2020

Protecting Kubernetes
Against MITRE ATT&CK:
Without such a policy, it is very easy to run into a scenario where you delete a network policy, hoping Credential Access
(/post/2020/08/protecting-
to forbid the connections listed in it, but nd that the result is that all connections to some pods against-kubernetes-
threats-chapter-6-
suddenly become permitted – including ones that weren’t allowed before. Such a scenario occurs credential-access/)

when the network policy you deleted was the only one that applied to a particular pod, which means Aug 05, 2020

that the deletion of the network policy caused the pod to become “non-isolated”. EKS vs GKE vs AKS - August
2020 Update
(/post/2020/08/eks-vs-gke-
Important Note: Since network policies are namespaced resources, you will need to create this
vs-aks-august-2020-
policy for each namespace. You can do so by running kubectl -n <namespace> create -f updates/)
Aug 04, 2020
<filename> for each namespace.
GKE Networking Best
Practices for Security and

Explicitly allow internet access for pods that

Operation
(/post/2020/07/gke-
networking-best-practices-

need it for-security-and-
operation/)
Jul 29, 2020
With just the default-deny-all policy in place in every namespace, none of your pods will be able to
Protecting Kubernetes
talk to each other or receive tra c from the Internet. For most applications to work, you will need to Against MITRE ATT&CK:
allow some pods to receive tra c from outside sources. One convenient way to permit this setup Defense Evasion
(/post/2020/07/protecting-
would be to designate labels that are applied to those pods to which you want to allow access from against-kubernetes-
threats-chapter-5-defense-
the internet and to create network policies that target those labels. For example, the following evasion/)

network policy allows tra c from all (including external) sources for pods having the Jul 27, 2020

networking/allow-internet-access=true label (again, as in the previous section, you will have to GKE Security Best
Practices: Designing
create this for every namespace): Secure Clusters
(/post/2020/07/gke-
security-best-practices-
designing-secure-clusters/)
Jul 21, 2020

Protecting Kubernetes
Against MITRE ATT&CK:
Privilege Escalation
(/post/2020/07/protecting-
/
 against-kubernetes-
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
threats-chapter-4-
apiVersion: networking.k8s.io/v1 privilege-escalation/)
Jul 19, 2020
kind: NetworkPolicy
(/) metadata: Protecting Kubernetes
Against MITRE ATT&CK:
name: internet-access Persistence
spec: (/post/2020/07/protecting-
against-kubernetes-
podSelector: threats-chapter-3-
persistence/)
matchLabels:
Jul 14, 2020
networking/allow-internet-access: "true"
Protecting Kubernetes
policyTypes:
Against MITRE ATT&CK:
- Ingress Execution
(/post/2020/07/protecting-
ingress: against-kubernetes-
threats-chapter-2-
- {}
execution/)
Jul 02, 2020

Cryptojacking Attacks in
For a more locked-down set of policies, you would ideally want to specify more ne-grained CIDR
Kubernetes: How to Stop
blocks ⧉ as well as explicitly list out allowed ports and protocols ⧉. However, this policy provides a Them
(/post/2020/07/cryptojacking-
good starting point, with much greater security than the default. attacks-in-kubernetes-
how-to-stop-them/)
Jul 02, 2020

Explicitly allow necessary pod-to-pod EKS vs GKE vs AKS - July

2020 Update

communication (/post/2020/06/eks-vs-gke-
vs-aks-july-2020-updates/)
Jun 26, 2020
After taking the above steps, you will also need to add network policies to allow pods to talk to each
Protecting Kubernetes
other. You have a few options for how to enable pod-to-pod communications, depending on your
Against MITRE ATT&CK:
situation: Initial Access
(/post/2020/06/protecting-
against-kubernetes-
If You Don’t Know Which Pods Need To Talk To Each threats-chapter-1-initial-
access/)

Other Jun 25, 2020

Mitigating CVE-2020-10749
In this case, a good starting point is to allow all pods in the same namespace to talk to each other in Kubernetes
Environments
and explicitly allow communication across namespaces, since that is usually more rare. You can use
(/post/2020/06/mitigating-
the following network policy to allow all pod-to-pod communication within a namespace: kubernetes-cve-2020-
10749/)
Jun 05, 2020

apiVersion: networking.k8s.io/v1 EKS vs GKE vs AKS - June

2020 Update
kind: NetworkPolicy (/post/2020/06/eks-vs-gke-
vs-aks-june-2020-updates/)
metadata:
Jun 02, 2020
name: allow-same-namespace
Guide to Evaluating Your
spec:
Container Security
podSelector: {} Maturity
(/post/2020/05/guide-to-
policyTypes: evaluating-your-container-
security-maturity/)
- Ingress
May 16, 2020
ingress:
Kubernetes Autoscaling - 3
- from:
Common Methods
- podSelector: {} Explained
(/post/2020/05/kubernetes-
autoscaling-explained/)
May 16, 2020

If You Know The Sources and Sinks for Communication

/
 Kubernetes Security 101:
Often, communication between pods in an application follows a hub-and-spoke paradigm, with some
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
Risks and 29 Best Practices
central pods that many other pods need to talk to. In this case, you could consider creating a label (/post/2020/05/kubernetes-
security-101/)
which designates pods that are allowed to talk to the “hub.” For example, if your hub is a database May 15, 2020
(/)
pod and has an app=db label, you could allow access to the database only from pods that have a
Better Kubernetes Security
networking/allow-db-access=true label by applying the following policy: with Open Policy Agent
(OPA) - Part 2
(/post/2020/05/custom-
kubernetes-controls-with-
apiVersion: networking.k8s.io/v1 open-policy-agent-opa-
part-2/)
kind: NetworkPolicy May 12, 2020

metadata:
Better Kubernetes Security
name: allow-db-access with Open Policy Agent
(OPA) - Part 1
spec:
(/post/2020/04/enhancing-
podSelector: kubernetes-security-with-
open-policy-agent-opa-
matchLabels: part-1/)

app: "db" Apr 29, 2020

policyTypes: AWS EKS Monitoring Best

Practices for Stability and
- Ingress
Security
ingress: (/post/2020/04/aws-eks-
monitoring-best-practices-
- from: for-stability-and-security/)

- podSelector: Apr 14, 2020

matchLabels: Container Image Security:

Beyond Vulnerability
networking/allow-db-access: "true"
Scanning
(/post/2020/04/container-
image-security-beyond-
vulnerability-scanning/)
You could do something similar if you have a server that initiates connections to many other pods. If
Apr 08, 2020
you want to explicitly allow the pods that the server is allowed to talk to, you can set the
EKS Runtime Security Best
networking/allow-server-to-access=true label on them, and apply the following network policy Practices for AWS
Workloads
(assuming your server has the label app=server) on them: (/post/2020/04/eks-
runtime-security-best-
practices-for-aws-
workloads/)
apiVersion: networking.k8s.io/v1
Apr 06, 2020
kind: NetworkPolicy
EKS vs GKE vs AKS - April
metadata: 2020 Updates
(/post/2020/03/eks-vs-gke-
name: allow-server-to-access
vs-aks-april-2020-
spec: updates/)
Mar 31, 2020
podSelector:

matchLabels: EKS Networking Best

Practices for Security and
networking/allow-server-to-access: "true" Operation
(/post/2020/03/eks-
policyTypes:
networking-best-
- Ingress practices/)
Mar 30, 2020
ingress:

- from: Securing EKS Cluster Add-

ons: Dashboard, Fargate,
- podSelector: EC2 Components, and
matchLabels: More
(/post/2020/03/securing-
app: "server" eks-cluster-add-ons-
dashboard-fargate-ec2-
and-more/)
Mar 24, 2020

What's New in Kubernetes

1.18? New Features and
/
 Updates
If You Know Exactly
Register Which
for our next Connections
webcast - securing Should
containers and Kubernetes Be
with StackRox SAVE MY SEAT >
(/post/2020/03/what-is-
new-in-kubernetes-1.18/)
Allowed Mar 23, 2020

(/) Guide to Designing EKS

Within the same namespace Clusters for Better Security
(/post/2020/03/guide-to-
eks-cluster-design-for-
Advanced users who know exactly which pod-to-pod connections should be allowed in their
better-security/)
application can explicitly allow each such connection. If you want pods in deployment A to be able to Mar 17, 2020

talk to pods in deployment B, you can create the following policy to allow that connection, after Azure Kubernetes (AKS)
Security Best Practices Part
replacing the labels with the labels of the speci c deployment:
4 of 4: Cluster
Maintenance
(/post/2020/03/azure-
kubernetes-aks-security-
apiVersion: networking.k8s.io/v1 best-practices-part-4-of-4/)
kind: NetworkPolicy Mar 09, 2020

metadata: Azure Kubernetes (AKS)

name: allow-server-to-access Security Best Practices Part
3 of 4: Runtime Security
spec: (/post/2020/02/azure-
kubernetes-aks-security-
podSelector:
best-practices-part-3-of-4/)
matchLabels: Feb 24, 2020

deployment-b-pod-label-1-key: deployment-b-pod-label-1-value
Azure Kubernetes (AKS)
deployment-b-pod-label-2-key: deployment-b-pod-label-2-value Security Best Practices Part
2 of 4: Networking
policyTypes: (/post/2020/02/azure-
kubernetes-aks-security-
- Ingress
best-practices-part-2-of-4/)
ingress: Feb 11, 2020

- from:
Azure Kubernetes (AKS)
- podSelector: Security Best Practices Part
1 of 4: Designing Secure
matchLabels: Clusters and Container
Images
deployment-a-pod-label-1-key: deployment-a-pod-label-1-value
(/post/2020/01/azure-
deployment-a-pod-label-2-key: deployment-a-pod-label-2-value kubernetes-aks-security-
best-practices-part-1-of-4/)
Jan 27, 2020

Across Namespaces Guide to Kubernetes

Egress Network Policies
(/post/2020/01/kubernetes-
To allow connections across namespaces, you will need to create a label for the source namespace egress-network-policies/)

(unfortunately, Kubernetes does not have any labels on namespaces by default) and add a Jan 15, 2020

namespaceSelector query next to the podSelector query. To label a namespace, you can simply run Kubernetes Networking
Demysti ed: A Brief Guide
the command: kubectl label namespace <name> networking/namespace=<name> (/post/2020/01/kubernetes-
networking-demysti ed/)
With this namespace label in place, you can allow deployment A in namespace N1 to talk to Jan 09, 2020

deployment B in namespace N2 by applying the following network policy: Top 5 Kubernetes

Vulnerabilities of 2019 -
the Year in Review
(/post/2020/01/top-5-
kubernetes-vulnerabilities-
of-2019-the-year-in-
review/)
Jan 02, 2020

What’s New in Kubernetes

1.17: A Deeper Look at
New Features
(/post/2019/12/whats-new-
in-kubernetes-1.17-a-
deeper-look-at-new-
features/)
Dec 09, 2019 /
 How to Make Istio Work
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
with Your Apps
apiVersion: networking.k8s.io/v1 (/post/2019/11/how-to-
make-istio-work-with-your-
kind: NetworkPolicy apps/)
(/) metadata: Nov 26, 2019

name: allow-n1-a-to-n2-b Protecting Kubernetes API

namespace: N2 Against CVE-2019-11253
(Billion Laughs Attack) and
spec: Other Vulnerabilities
(/post/2019/09/protecting-
podSelector:
kubernetes-api-against-
matchLabels: cve-2019-11253-billion-
laughs-attack/)
deployment-b-pod-label-1-key: deployment-b-pod-label-1-value
Sep 30, 2019
deployment-b-pod-label-2-key: deployment-b-pod-label-2-value
12 Kubernetes
policyTypes: con guration best
practices
- Ingress
(/post/2019/09/12-
ingress: kubernetes-con guration-
best-practices/)
- from:
Sep 26, 2019
- namespaceSelector:
Docker Container Security
matchLabels: 101: Risks and 33 Best
Practices
networking/namespace: N1
(/post/2019/09/docker-
podSelector: security-101/)
Sep 13, 2019
matchLabels:

deployment-a-pod-label-1-key: deployment-a-pod-label-1-value SUBSCR I B E EKS

Amazon T OSecurity
O U RBest
Practices
deployment-a-pod-label-2-key: deployment-a-pod-label-2-value BLOG (/post/2019/09/amazon-
eks-security-best-
Email Address:
practices/)
Sep 13, 2019
What About New Deployments?
The Kubernetes Security
Audit: 3 Key Takeaways
Although explicitly allowing connections in this manner is great for security, this approach does a ect SUBSCRIBE ME
(/post/2019/09/the-
usability. When you create new deployments, they will not be able to talk to anything by default until kubernetes-security-audit-
3-key-takeaways/)
you apply a network policy. To mitigate this potentially frustrating user experience, you could create
Sep 02, 2019

the following pair of network policies, which allow pods labeled networking/allow-all-
Istio Security: Running
connections=true to talk to all other pods in the same namespace: Microservices on Zero-
Trust Networks
(/post/2019/08/istio-
security-basics-running-
microservices-on-zero-
trust-networks/)
Aug 01, 2019

Gartner best practices for

Kubernetes & container
security
(/post/2019/06/gartner-
best-practices-for-
securing-containers-and-
kubernetes-in-production/)
Jun 25, 2019

Gartner’s Top 10 Security

Projects for 2019 -
Container Security Makes
the List
(/post/2019/06/gartners-
top-10-security-projects-
for-2019-container-
security-makes-the-list/)
Jun 24, 2019

Getting started with Istio

Service Mesh - What is it
/
 and what does it do?
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
(/post/2019/06/getting-
apiVersion: networking.k8s.io/v1 started-with-istio-service-
mesh-what-is-it-and-what-
kind: NetworkPolicy does-it-do/)
(/) metadata: Jun 20, 2019

name: allow-ingress-from-new What the Palo Alto-

spec: Twistlock Acquisition
Means for Container
podSelector: {} Security Market
(/post/2019/05/what-the-
policyTypes:
palo-alto-twistlock-
- Ingress acquisition-means-for-
container-security-
ingress: market/)

- from: May 29, 2019

- podSelector: How to Build Production-

Ready Kubernetes Clusters
matchLabels:
and Containers
networking/allow-all-connections: "true" (/post/2019/05/how-to-
build-production-ready-
--- kubernetes-clusters-and-
containers/)
apiVersion: networking.k8s.io/v1
May 09, 2019
kind: NetworkPolicy
New Kubernetes Security
metadata:
Vulnerabilities Disclosed:
name: allow-ingress-to-new CVE-2019-1002101 and
CVE-2019-9946
spec: (/post/2019/03/new-
podSelector: kubernetes-security-
vulnerabilities-discovered-
matchLabels: cve-2019-1002101-and-
cve-2019-9946/)
networking/allow-all-connections: "true"
Mar 29, 2019
policyTypes:
11 Kubernetes admission
- Ingress
controller best practices
ingress: for security
(/post/2019/03/11-tips-to-
- from: operationalizing-
kubernetes-admission-
- podSelector: {}
controllers-for-better-
security/)
Mar 22, 2019

You can then apply the networking/allow-all-connections=true label to all newly created
7 Critical Kubernetes
deployments, so that your application works until you create specially crafted network policies for Security Issues Resolved
by Upgrading Your k8s
them, at which point you can remove the label. (/post/2019/01/critical-
kubernetes-security-
issues-resolved-in-recent-
kubernetes-versions/)

Summary Jan 03, 2019

Detecting Docker Exploits

and Vulnerabilities - Your
While these recommendations provide a good starting point, network policies are a lot more
How-to Guide
involved. If you’re interested in exploring them in more detail, be sure to check out the Kubernetes (/post/2018/03/breaking-
bad-detecting-real-world-
tutorial ⧉ as well as some handy network policy recipes ⧉. container-exploits/)
Mar 08, 2018
In a future post in this series, we will release an accompanying open-source tool that allows you to
Docker Forensics for
easily apply the recommendations in this article as well as some other best practices. Containers: How to
Conduct Investigations
(/post/2017/08/csi-
Here at StackRox, we’ve spent a lot of time thinking about how to operationalize network policies.
container-edition-
The StackRox Kubernetes Security Platform (/platform/) automatically suggests and can generate forensics-in-the-age-of-
containers/)
network policies that enable just those communications paths your applications need. You can learn Aug 17, 2017

more about these capabilities in our network policy enforcement (/policy-enforcement/) discussion.
Hardening Docker
containers, images, and
/
 host - security toolkit
Note: All the example YAMLs in this article can be downloaded at
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
(/post/2017/08/hardening-
https://github.com/stackrox/network-policy-examples ⧉ docker-containers-and-
hosts-against-
vulnerabilities-a-security-
(/) toolkit/)
Categories:
Aug 10, 2017

Kubernetes Security (/Categories/Kubernetes-Security)

Container Security (/Categories/Container-Security)

Tags:

Kubernetes Network Policies (/Tags/Kubernetes-Network-Policies)

Kubernetes Security (/Tags/Kubernetes-Security)

WHY USE CASES ENVIRONMENTS FEATURED RESOURCES COM

STACKROX
Visibility (/use- AWS (/solutions/aws- GKE Security Best Practices Abou
100 View Street, Suite 204
(/WHY-
cases/visibility/) security/) (https://www.stackrox.com/post/2020/07/gke- (/abo
Mountain View, CA 94041
STACKROX/)
security-best-practices-designing-secure-
+1 (650) 385-8329 Vulnerability Azure Team
PLATFORM clusters/)
Management (/use- (/solutions/microsoft-
Partn
(/PLATFORM/) cases/vulnerability- azure-security/) CIS Benchmarks for Kubernetes
(/part
management/) (https://www.stackrox.com/wiki/cis-
CUSTOMERS Docker
Upco
benchmarks-for-kubernetes/)
(/CUSTOMERS/) Compliance (/use- (/solutions/docker-
CONTACT US Event
cases/compliance/) security/) PCI compliance in container and Kubernetes
(/new
RESOURCES
environments
Network Google Cloud
(/ASSETS/) Caree
(https://www.stackrox.com/wiki/pci-dss-
Segmentation (/use- Platform
(/care
compliance-containers-kubernetes/)
BLOG (/POST/) cases/network- (/solutions/gke-
News
segmentation/) security-for-google- Kubernetes Security 101
WIKI (/WIKI/) (/new
cloud-platform/) (/post/2020/05/kubernetes-security-101/)
Risk Pro ling (/use-

cases/risk-pro ling/) Red Hat OpenShift Docker Security 101 (/post/2019/09/docker-

(/solutions/red-hat- security-101/)
Con guration
openshift-security/)
Management (/use- EKS Security Best Practices

cases/con guration- Pivotal Container (/post/2019/09/amazon-eks-security-best-

management/) Service (PKS) practices/)

(/solutions/pks-
Threat Detection Kubernetes Network Policies
security/)
(/use-cases/threat- (/post/2019/04/setting-up-kubernetes-

detection/) Rancher network-policies-a-detailed-guide/)

(/solutions/rancher-
Incident Response Kubernetes Con guration Best Practices
security/)
(/use- (/post/2019/09/12-kubernetes-con guration-

cases/incident- Federal Agencies best-practices/)

response/) (/solutions/federal-
Istio Security Basics (/post/2019/08/istio-
agencies/)
security-basics-running-microservices-on-

zero-trust-networks/)

Kubernetes Adoption and Security Trends

(/kubernetes-adoption-security-and-market-

share-for-containers/)

/
 Admission Controllers (/post/2019/03/11-tips-
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >

to-operationalizing-kubernetes-admission-

controllers-for-better-security/)

(/)
Hardening Docker Containers and Images

(/post/2017/08/hardening-docker-containers-

and-hosts-against-vulnerabilities-a-security-

toolkit/)

Privacy Policy (/privacy/) © 2020 StackRox, Inc. All Rights Reserved