Kubernetes / Platform Security Articles

CSI drivers run with broad privileges by design. Their security posture often goes unaudited — until one is the exfil path or the privilege-escalation step.

Native Kubernetes Secrets are visible to anyone with namespace get. External Secrets Operator pulls from your real secret store on schedule, with rotation and audit.

restartPolicy: Always init containers GA'd in 1.29 fix the long-standing init/main race. Bigger security wins for service-mesh and log-shipper deployments.

Confidential Containers move workload isolation from the kernel to the silicon. Encrypted memory, hardware-attested boot, and a different threat model than user namespaces.

userns: true remaps Pod UIDs into a per-Pod range. A container running as root sees uid 0 inside; the host sees an unprivileged user. Big hardening win, easy to enable.

VAP replaces webhook admission for the policies you write most often. No Kyverno, no OPA, no network round-trip, no webhook availability risk.

Gateway API replaces Ingress with a multi-role model that separates infrastructure, cluster operator, and application developer concerns. New surface, new threat model.

Kubernetes orchestrates LLM workloads but has no awareness of what those workloads do. An Ollama pod with healthy readiness probes and stable resource usage can still leak secrets, execute prompt injection, and grant models excessive agency over internal services. This article covers the LLM-specific threat model for Kubernetes and implements an LLM gateway as the policy enforcement layer.

A Kubernetes node is a Linux machine running kubelet, a container runtime, and your workloads.

Multi-tenant GPU sharing without isolation risks data leakage between workloads through shared GPU memory.

GPU compute costs between $2 and $30 per hour per device. A single unauthorised cryptocurrency mining pod running on an A100 for a weekend generates..

Request-count rate limiting fails for LLM workloads because a single request can consume 100K tokens. Token-based rate limiting with per-user quotas and abuse detection prevents runaway costs and catches prompt injection probing before it escalates.

Prevention-only security has a binary failure mode: either the control holds and the attacker is stopped, or the control fails and the attacker...

By default, every pod in a Kubernetes cluster can communicate with every other pod across all namespaces. There are no network boundaries.

Without enforced budgets, a single team can exhaust an organization's entire AI spend in days. Token metering with per-team budgets, automatic request rejection at limits, model routing by cost, and chargeback dashboards turn LLM spending from a surprise into a managed line item.

The kubelet runs on every node in the cluster with root-level access to the container runtime, all pod specifications, mounted secrets, and the host..

RBAC sprawl in multi-team Kubernetes clusters grows past 100 role bindings within months.

Kubernetes Secrets are base64-encoded, not encrypted. Anyone with RBAC read access to secrets in a namespace can decode every credential stored there.

When a traditional application causes an incident, you examine logs, traces, and database queries to reconstruct what happened.

Model inference endpoints are GPU-backed and expensive, $2-30 per hour per GPU. A single unprotected endpoint exposed to the internet can accumulate..

Without admission control, any user with deployment permissions can run privileged containers, mount the host filesystem, use the host network, run...

AI systems leak data in ways traditional applications do not. A language model trained on customer data can reproduce verbatim customer records in...

JupyterHub is a code execution platform. Every notebook cell is arbitrary code running with whatever permissions the notebook server process has.

Kubernetes namespaces provide logical separation, not security isolation. By default, pods in namespace A can send network traffic to pods in...

A single content filter is not a pipeline. Most LLM deployments add one filter (usually on output) and call it done.

Traditional security testing (penetration testing, vulnerability scanning) does not cover AI-specific attack surfaces.

Without image policy enforcement, any container image from any registry can run in a Kubernetes cluster.

Retrieval-Augmented Generation (RAG) adds a knowledge base to LLM applications, the model retrieves relevant documents before generating a response.

Kubernetes SecurityContext has over 15 configurable fields, but most teams only set runAsNonRoot: true and consider the job done.

Vector databases are the backbone of RAG (Retrieval-Augmented Generation) systems.

Deploying a new ML model version is not the same as deploying a new application version.

The API server is the front door to the Kubernetes cluster. Every kubectl command, every controller reconciliation, every pod scheduling decision,...

The default container runtime allows approximately 300 syscalls. A compromised container can use unshare to create new namespaces, clone to spawn...

Kubernetes Secrets are stored in etcd as base64-encoded plaintext. Base64 is an encoding, not encryption.

Deploying an LLM without guardrails is deploying an application where any user can make it say or do anything.

The ingress controller is the internet-facing entry point to a Kubernetes cluster.

Traditional application monitoring (CPU, memory, HTTP status codes, latency) tells you nothing about what an LLM is doing.

Model serving frameworks ship with defaults optimised for development: management APIs exposed on all interfaces without authentication, model files..

Fine-tuning pipelines are high-value targets. They consume expensive GPU hours, process proprietary training data, and produce model checkpoints that...

The Kubernetes scheduler places pods on nodes based on resource availability and basic constraints.

Kubernetes audit logs record every request to the API server: who made the request, what they asked for, and whether it succeeded.

Model files are opaque binaries ranging from 1GB to over 1TB. You cannot code-review a set of weights.

Reinforcement Learning from Human Feedback (RLHF) pipelines introduce unique security surfaces that standard ML training workflows do not have.

AI services have turned API keys into direct spending controls. A leaked OpenAI or Anthropic key can generate thousands of dollars in charges within...

Prompt injection is the SQL injection of AI systems, the most common and most damaging attack class against LLM-powered applications.

AI training clusters frequently share networks with production services. A training job that can reach the production database is one compromised...

LLM-powered applications have unique observability requirements that standard APM tools do not address: token-based cost tracking (not just request...

Model registries are the bridge between training and production. A model pushed to the production registry gets served to users.

Every pod in Kubernetes receives a service account token by default. In clusters running older configurations or without explicit hardening, these...