Workload Security

Runtime security policies for Kubernetes workloads. Enforce security contexts, restrict dangerous capabilities, control volume mounts, and harden container configurations.

Kyverno policies for hardening Kubernetes workload runtime security beyond the Pod Security Standards.

What’s Covered

  • Security context enforcement — Require non-root users, read-only root filesystems
  • Capability restrictions — Drop all capabilities, allowlist only what’s needed
  • Volume security — Restrict sensitive host path mounts
  • Network security — Enforce endpoint protection and egress controls
  • RBAC restrictions — Prevent over-privileged service account bindings

All workload security policies are available in the Nirmata policy library on GitHub.