A production-grade Kubernetes security layer built on OPA Gatekeeper (admission control) and Falco (runtime threat detection). Directly implements controls from CIS Kubernetes Benchmark and NSA/CISA Kubernetes Hardening Guidance.
┌─────────────────────────────────────────────────────────────────────┐
│ kubectl apply / CI │
└────────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────┐
│ Kubernetes API Server │
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Admission Control Pipeline │ │
│ │ │ │
│ │ MutatingWebhook ValidatingWebhook │ │
│ │ (Gatekeeper mutator) → (Gatekeeper validator) │ │
│ │ │ │
│ │ Evaluates OPA Rego policies against every resource │ │
│ │ CREATE / UPDATE before it touches etcd │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Running Pods │ │
│ │ │ │
│ │ ┌─────────────────────────────────────────────────────┐ │ │
│ │ │ Falco DaemonSet (one per node) │ │ │
│ │ │ Reads Linux kernel syscalls via eBPF probe │ │ │
│ │ │ Matches against rule engine → alert/log/kill │ │ │
│ │ └─────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
│
┌────────────┴────────────┐
▼ ▼
CloudWatch Logs Slack / PagerDuty
(audit trail) (critical alerts)
| Policy | CIS Benchmark | Severity |
|---|---|---|
| Deny privileged containers | 5.2.1 | Critical |
| Block host network access | 5.2.4 | High |
| Block host PID namespace | 5.2.2 | High |
| Block host IPC namespace | 5.2.3 | High |
| Require resource limits | 5.2.8 | Medium |
| Require resource requests | 5.2.8 | Medium |
| Deny privilege escalation | 5.2.5 | High |
| Require read-only root filesystem | 5.2.6 | Medium |
| Drop ALL capabilities | 5.2.7 | High |
| Rule | MITRE ATT&CK | Severity |
|---|---|---|
| Unexpected process spawned | Execution (T1059) | High |
| Outbound connection to unexpected host | C2 (T1071) | Critical |
| Sensitive file read | Credential Access (T1552) | High |
| Shell spawned in container | Execution (T1059.004) | Critical |
| Package manager run in container | Persistence (T1072) | High |
| Write below /etc in container | Persistence (T1548) | High |
| K8s service account token read | Credential Access (T1528) | High |
| Unexpected network listener | Discovery (T1046) | Medium |
.
├── gatekeeper/
│ ├── config/ # Gatekeeper Config — which resources to audit
│ ├── constraint-templates/ # ConstraintTemplate CRDs (Rego logic lives here)
│ └── constraints/ # Constraint instances (where policies are enforced)
├── falco/
│ ├── config/ # Falco configuration (falco.yaml, outputs)
│ └── rules/ # Custom Falco rule files
├── audit/
│ └── audit-policy.yaml # Kubernetes API audit policy
├── docs/
│ ├── runbook-gatekeeper.md # How to handle policy violations
│ └── runbook-falco.md # How to triage Falco alerts
└── .github/
└── workflows/ # PR validation + scheduled compliance audit
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
helm upgrade --install gatekeeper gatekeeper/gatekeeper \
--namespace gatekeeper-system \
--create-namespace \
--values gatekeeper/config/helm-values.yaml \
--wait# Templates must be applied before constraints
kubectl apply -f gatekeeper/constraint-templates/
# Wait for CRDs to be established
kubectl wait --for=condition=established crd \
--selector=app=gatekeeper \
--timeout=60s
# Apply constraints (dry-run first in prod)
kubectl apply --dry-run=server -f gatekeeper/constraints/
kubectl apply -f gatekeeper/constraints/helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm upgrade --install falco falcosecurity/falco \
--namespace falco \
--create-namespace \
--values falco/config/helm-values.yaml \
--waitkubectl create configmap falco-custom-rules \
--from-file=falco/rules/ \
--namespace falco \
--dry-run=client -o yaml | kubectl apply -f -
# Restart Falco to pick up new rules
kubectl rollout restart daemonset/falco -n falcoGatekeeper supports three enforcement modes — use dryrun before enabling deny:
| Mode | Behavior | When to Use |
|---|---|---|
dryrun |
Logs violations, never blocks | Initial rollout, new clusters |
warn |
Allows but returns warning | Gradual enforcement |
deny |
Blocks non-compliant resources | Full enforcement (prod) |
All constraints in this repo default to dryrun. Change enforcementAction to deny environment by environment after validating no legitimate workloads are blocked.
Run a full compliance audit against a live cluster:
# Checks all running pods against every constraint
kubectl get constraint -A -o json | jq '
.items[] |
{
name: .metadata.name,
violations: .status.totalViolations,
details: [.status.violations[]? | {resource: .name, namespace: .namespace, message: .message}]
}
| select(.violations > 0)
'| Repo | Purpose |
|---|---|
| aws-eks-platform | Terraform — VPC, EKS, IAM |
| gitops-eks-platform | GitOps — ArgoCD workloads |
| k8s-security-platform (this repo) | Security — Gatekeeper + Falco |