Series Overview
This is Part 8 (Final) of the Kubernetes Autoscaling Complete Guide series:
- Part 1: Horizontal Pod Autoscaler - Application-level autoscaling theory
- Part 2: Cluster Autoscaling & Cloud Providers - Infrastructure-level autoscaling
- Part 3: Hands-On HPA Demo - Practical implementation
- Part 4: Monitoring, Alerting & Threshold Tuning - Production observability
- Part 5: VPA & Resource Optimization - Right-sizing strategies
- Part 6: Advanced Autoscaling Patterns - Complex architectures
- Part 7: Production Troubleshooting & War Stories - Real-world incidents
- Part 8 (This Post): Security, Compliance & Governance - Enterprise-grade security
Autoscaling without proper security and governance is a vulnerability multiplier. A misconfigured HPA can scale to thousands of pods, exhausting budgets. Unauthorized VPA modifications can crash production. This final guide establishes enterprise-grade security, compliance frameworks, and governance for Kubernetes autoscaling.
The Security Challenge
┌────────────────────────────────────────────────────────────────┐
│ AUTOSCALING SECURITY ATTACK SURFACE │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ THREATS │ │
│ │ │ │
│ │ 1. Unauthorized Scaling │ │
│ │ • Developer scales production to 1000 pods │ │
│ │ • Cost: $50,000/month unexpected │ │
│ │ │ │
│ │ 2. Resource Exhaustion Attack │ │
│ │ • Malicious HPA maxReplicas: 10000 │ │
│ │ • Cluster overwhelmed, legitimate workloads starve │ │
│ │ │ │
│ │ 3. Privilege Escalation via VPA │ │
│ │ • VPA grants excessive CPU/memory │ │
│ │ • Pod escapes resource limits │ │
│ │ │ │
│ │ 4. Compliance Violations │ │
│ │ • PCI workload auto-scales to non-compliant zone │ │
│ │ • Audit logs missing autoscaling decisions │ │
│ │ │ │
│ │ 5. Data Exposure │ │
│ │ • Autoscaled pod in wrong namespace │ │
│ │ • Sensitive data accessed by unauthorized pod │ │
│ └──────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────┘
Part 1: RBAC for Autoscaling
Principle of Least Privilege
┌────────────────────────────────────────────────────────────┐
│ RBAC HIERARCHY │
│ │
│ Cluster Admin │
│ ↓ │
│ Platform Team (manage autoscaling infrastructure) │
│ ↓ │
│ SRE Team (view & modify autoscaling in all namespaces) │
│ ↓ │
│ Team Lead (modify autoscaling in team namespace) │
│ ↓ │
│ Developer (view autoscaling in team namespace) │
│ ↓ │
│ Application (ServiceAccount with minimal permissions) │
└────────────────────────────────────────────────────────────┘
Role Definitions
1. Cluster Admin (Full Control)
1# Cluster-wide autoscaling admin
2---
3apiVersion: rbac.authorization.k8s.io/v1
4kind: ClusterRole
5metadata:
6 name: autoscaling-admin
7 labels:
8 rbac.authorization.k8s.io/aggregate-to-admin: "true"
9rules:
10# HPA permissions
11- apiGroups: ["autoscaling"]
12 resources: ["horizontalpodautoscalers"]
13 verbs: ["*"]
14
15# VPA permissions
16- apiGroups: ["autoscaling.k8s.io"]
17 resources: ["verticalpodautoscalers"]
18 verbs: ["*"]
19
20# KEDA permissions
21- apiGroups: ["keda.sh"]
22 resources: ["scaledobjects", "scaledjobs", "triggerauthentications", "clustertriggerauthentications"]
23 verbs: ["*"]
24
25# Cluster Autoscaler config
26- apiGroups: [""]
27 resources: ["configmaps"]
28 resourceNames: ["cluster-autoscaler-status"]
29 verbs: ["get", "list", "watch", "update"]
30
31# Karpenter permissions
32- apiGroups: ["karpenter.sh"]
33 resources: ["nodepools", "nodeclaims"]
34 verbs: ["*"]
35
36- apiGroups: ["karpenter.k8s.aws"]
37 resources: ["ec2nodeclasses"]
38 verbs: ["*"]
39
40# Metrics (for debugging)
41- apiGroups: ["metrics.k8s.io"]
42 resources: ["pods", "nodes"]
43 verbs: ["get", "list"]
44
45---
46# Bind to platform team
47apiVersion: rbac.authorization.k8s.io/v1
48kind: ClusterRoleBinding
49metadata:
50 name: platform-team-autoscaling-admin
51subjects:
52- kind: Group
53 name: platform-team
54 apiGroup: rbac.authorization.k8s.io
55roleRef:
56 kind: ClusterRole
57 name: autoscaling-admin
58 apiGroup: rbac.authorization.k8s.io
2. SRE Team (View + Modify in All Namespaces)
1---
2apiVersion: rbac.authorization.k8s.io/v1
3kind: ClusterRole
4metadata:
5 name: autoscaling-operator
6rules:
7# HPA management
8- apiGroups: ["autoscaling"]
9 resources: ["horizontalpodautoscalers"]
10 verbs: ["get", "list", "watch", "update", "patch"]
11
12# VPA view-only (modifications require approval)
13- apiGroups: ["autoscaling.k8s.io"]
14 resources: ["verticalpodautoscalers"]
15 verbs: ["get", "list", "watch"]
16
17# KEDA view
18- apiGroups: ["keda.sh"]
19 resources: ["scaledobjects", "scaledjobs"]
20 verbs: ["get", "list", "watch"]
21
22# View deployments/statefulsets (for context)
23- apiGroups: ["apps"]
24 resources: ["deployments", "statefulsets", "replicasets"]
25 verbs: ["get", "list", "watch"]
26
27# View pods and nodes
28- apiGroups: [""]
29 resources: ["pods", "nodes"]
30 verbs: ["get", "list", "watch"]
31
32# Metrics access
33- apiGroups: ["metrics.k8s.io"]
34 resources: ["pods", "nodes"]
35 verbs: ["get", "list"]
36
37---
38apiVersion: rbac.authorization.k8s.io/v1
39kind: ClusterRoleBinding
40metadata:
41 name: sre-team-autoscaling-operator
42subjects:
43- kind: Group
44 name: sre-team
45 apiGroup: rbac.authorization.k8s.io
46roleRef:
47 kind: ClusterRole
48 name: autoscaling-operator
49 apiGroup: rbac.authorization.k8s.io
3. Team Lead (Namespace-Scoped)
1---
2apiVersion: rbac.authorization.k8s.io/v1
3kind: Role
4metadata:
5 name: autoscaling-manager
6 namespace: team-a
7rules:
8# HPA management within namespace
9- apiGroups: ["autoscaling"]
10 resources: ["horizontalpodautoscalers"]
11 verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
12
13# VPA management with restrictions (via admission webhook)
14- apiGroups: ["autoscaling.k8s.io"]
15 resources: ["verticalpodautoscalers"]
16 verbs: ["get", "list", "watch", "create", "update", "patch"]
17
18# KEDA management
19- apiGroups: ["keda.sh"]
20 resources: ["scaledobjects", "triggerauthentications"]
21 verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
22
23# View workloads
24- apiGroups: ["apps"]
25 resources: ["deployments", "statefulsets"]
26 verbs: ["get", "list", "watch"]
27
28---
29apiVersion: rbac.authorization.k8s.io/v1
30kind: RoleBinding
31metadata:
32 name: team-lead-autoscaling-manager
33 namespace: team-a
34subjects:
35- kind: User
36 name: alice@example.com
37 apiGroup: rbac.authorization.k8s.io
38roleRef:
39 kind: Role
40 name: autoscaling-manager
41 apiGroup: rbac.authorization.k8s.io
4. Developer (View-Only)
1---
2apiVersion: rbac.authorization.k8s.io/v1
3kind: Role
4metadata:
5 name: autoscaling-viewer
6 namespace: team-a
7rules:
8# View HPA
9- apiGroups: ["autoscaling"]
10 resources: ["horizontalpodautoscalers"]
11 verbs: ["get", "list", "watch"]
12
13# View VPA
14- apiGroups: ["autoscaling.k8s.io"]
15 resources: ["verticalpodautoscalers"]
16 verbs: ["get", "list", "watch"]
17
18# View KEDA
19- apiGroups: ["keda.sh"]
20 resources: ["scaledobjects", "scaledjobs"]
21 verbs: ["get", "list", "watch"]
22
23# View metrics
24- apiGroups: ["metrics.k8s.io"]
25 resources: ["pods"]
26 verbs: ["get", "list"]
27
28---
29apiVersion: rbac.authorization.k8s.io/v1
30kind: RoleBinding
31metadata:
32 name: developers-autoscaling-viewer
33 namespace: team-a
34subjects:
35- kind: Group
36 name: developers
37 apiGroup: rbac.authorization.k8s.io
38roleRef:
39 kind: Role
40 name: autoscaling-viewer
41 apiGroup: rbac.authorization.k8s.io
5. Service Account (Application)
1---
2# Minimal permissions for application pod
3apiVersion: v1
4kind: ServiceAccount
5metadata:
6 name: my-app
7 namespace: production
8automountServiceAccountToken: true
9
10---
11# No autoscaling permissions by default
12# Applications should NOT modify their own autoscaling
13apiVersion: rbac.authorization.k8s.io/v1
14kind: Role
15metadata:
16 name: my-app-role
17 namespace: production
18rules:
19# Only allow reading own pod info
20- apiGroups: [""]
21 resources: ["pods"]
22 verbs: ["get", "list"]
23 # Restrict to own pod
24 resourceNames: [] # Enforced by admission controller
25
26---
27apiVersion: rbac.authorization.k8s.io/v1
28kind: RoleBinding
29metadata:
30 name: my-app-binding
31 namespace: production
32subjects:
33- kind: ServiceAccount
34 name: my-app
35 namespace: production
36roleRef:
37 kind: Role
38 name: my-app-role
39 apiGroup: rbac.authorization.k8s.io
Special Use Case: CI/CD Pipeline
1---
2# ServiceAccount for CI/CD to update HPA during deployments
3apiVersion: v1
4kind: ServiceAccount
5metadata:
6 name: cicd-deployer
7 namespace: production
8
9---
10apiVersion: rbac.authorization.k8s.io/v1
11kind: Role
12metadata:
13 name: cicd-autoscaling-deployer
14 namespace: production
15rules:
16# Allow creating/updating HPA during deployment
17- apiGroups: ["autoscaling"]
18 resources: ["horizontalpodautoscalers"]
19 verbs: ["get", "list", "create", "update", "patch"]
20
21# Allow updating VPA (but not deleting)
22- apiGroups: ["autoscaling.k8s.io"]
23 resources: ["verticalpodautoscalers"]
24 verbs: ["get", "list", "create", "update", "patch"]
25
26# Manage deployments
27- apiGroups: ["apps"]
28 resources: ["deployments"]
29 verbs: ["get", "list", "update", "patch"]
30
31---
32apiVersion: rbac.authorization.k8s.io/v1
33kind: RoleBinding
34metadata:
35 name: cicd-autoscaling-deployer-binding
36 namespace: production
37subjects:
38- kind: ServiceAccount
39 name: cicd-deployer
40 namespace: production
41roleRef:
42 kind: Role
43 name: cicd-autoscaling-deployer
44 apiGroup: rbac.authorization.k8s.io
Part 2: Policy Enforcement with OPA/Gatekeeper
Install Gatekeeper
1# Install Gatekeeper
2kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.14/deploy/gatekeeper.yaml
3
4# Verify installation
5kubectl get pods -n gatekeeper-system
6
7# Check CRDs
8kubectl get crd | grep gatekeeper
Policy 1: Enforce HPA Replica Limits
Constraint Template:
1apiVersion: templates.gatekeeper.sh/v1
2kind: ConstraintTemplate
3metadata:
4 name: k8shpareplicalimits
5 annotations:
6 description: "Enforces minimum and maximum replica limits for HPAs"
7spec:
8 crd:
9 spec:
10 names:
11 kind: K8sHpaReplicaLimits
12 validation:
13 openAPIV3Schema:
14 type: object
15 properties:
16 minReplicas:
17 type: integer
18 description: "Minimum allowed minReplicas"
19 maxReplicas:
20 type: integer
21 description: "Maximum allowed maxReplicas"
22 maxReplicasPerNamespace:
23 type: integer
24 description: "Maximum total replicas across all HPAs in namespace"
25
26 targets:
27 - target: admission.k8s.gatekeeper.sh
28 rego: |
29 package k8shpareplicalimits
30
31 violation[{"msg": msg}] {
32 input.review.kind.kind == "HorizontalPodAutoscaler"
33 hpa := input.review.object.spec
34
35 # Check minReplicas
36 hpa.minReplicas < input.parameters.minReplicas
37 msg := sprintf("HPA minReplicas (%v) is below the allowed minimum (%v)", [hpa.minReplicas, input.parameters.minReplicas])
38 }
39
40 violation[{"msg": msg}] {
41 input.review.kind.kind == "HorizontalPodAutoscaler"
42 hpa := input.review.object.spec
43
44 # Check maxReplicas
45 hpa.maxReplicas > input.parameters.maxReplicas
46 msg := sprintf("HPA maxReplicas (%v) exceeds the allowed maximum (%v)", [hpa.maxReplicas, input.parameters.maxReplicas])
47 }
48
49 violation[{"msg": msg}] {
50 input.review.kind.kind == "HorizontalPodAutoscaler"
51 hpa := input.review.object.spec
52
53 # Check ratio
54 ratio := hpa.maxReplicas / hpa.minReplicas
55 ratio > 10
56 msg := sprintf("HPA maxReplicas/minReplicas ratio (%v) exceeds 10x", [ratio])
57 }
Constraint Instance:
1---
2# Apply limits to production namespace
3apiVersion: constraints.gatekeeper.sh/v1beta1
4kind: K8sHpaReplicaLimits
5metadata:
6 name: production-hpa-limits
7spec:
8 match:
9 kinds:
10 - apiGroups: ["autoscaling"]
11 kinds: ["HorizontalPodAutoscaler"]
12 namespaces:
13 - production
14 parameters:
15 minReplicas: 2 # At least 2 replicas
16 maxReplicas: 100 # Max 100 replicas
17 maxReplicasPerNamespace: 500 # Total across all HPAs
18
19---
20# More permissive for staging
21apiVersion: constraints.gatekeeper.sh/v1beta1
22kind: K8sHpaReplicaLimits
23metadata:
24 name: staging-hpa-limits
25spec:
26 match:
27 kinds:
28 - apiGroups: ["autoscaling"]
29 kinds: ["HorizontalPodAutoscaler"]
30 namespaces:
31 - staging
32 parameters:
33 minReplicas: 1
34 maxReplicas: 50
Policy 2: Enforce VPA Resource Boundaries
1apiVersion: templates.gatekeeper.sh/v1
2kind: ConstraintTemplate
3metadata:
4 name: k8svparesourcelimits
5spec:
6 crd:
7 spec:
8 names:
9 kind: K8sVpaResourceLimits
10 validation:
11 openAPIV3Schema:
12 type: object
13 properties:
14 maxCpu:
15 type: string
16 maxMemory:
17 type: string
18
19 targets:
20 - target: admission.k8s.gatekeeper.sh
21 rego: |
22 package k8svparesourcelimits
23
24 import future.keywords.in
25
26 violation[{"msg": msg}] {
27 input.review.kind.kind == "VerticalPodAutoscaler"
28 vpa := input.review.object.spec
29
30 # Check each container policy
31 container := vpa.resourcePolicy.containerPolicies[_]
32
33 # Parse CPU limits
34 maxCpu := parse_cpu(container.maxAllowed.cpu)
35 allowedMaxCpu := parse_cpu(input.parameters.maxCpu)
36
37 maxCpu > allowedMaxCpu
38 msg := sprintf("VPA maxAllowed CPU (%v) exceeds limit (%v)", [container.maxAllowed.cpu, input.parameters.maxCpu])
39 }
40
41 violation[{"msg": msg}] {
42 input.review.kind.kind == "VerticalPodAutoscaler"
43 vpa := input.review.object.spec
44
45 container := vpa.resourcePolicy.containerPolicies[_]
46
47 # Parse memory limits
48 maxMemory := parse_memory(container.maxAllowed.memory)
49 allowedMaxMemory := parse_memory(input.parameters.maxMemory)
50
51 maxMemory > allowedMaxMemory
52 msg := sprintf("VPA maxAllowed memory (%v) exceeds limit (%v)", [container.maxAllowed.memory, input.parameters.maxMemory])
53 }
54
55 # Helper functions
56 parse_cpu(cpu) = value {
57 # Convert CPU to millicores
58 endswith(cpu, "m")
59 value := to_number(trim_suffix(cpu, "m"))
60 }
61
62 parse_cpu(cpu) = value {
63 # Cores to millicores
64 not endswith(cpu, "m")
65 value := to_number(cpu) * 1000
66 }
67
68 parse_memory(mem) = value {
69 # Convert memory to bytes
70 endswith(mem, "Gi")
71 value := to_number(trim_suffix(mem, "Gi")) * 1024 * 1024 * 1024
72 }
73
74 parse_memory(mem) = value {
75 endswith(mem, "Mi")
76 value := to_number(trim_suffix(mem, "Mi")) * 1024 * 1024
77 }
78
79---
80# Apply VPA limits
81apiVersion: constraints.gatekeeper.sh/v1beta1
82kind: K8sVpaResourceLimits
83metadata:
84 name: vpa-resource-limits
85spec:
86 match:
87 kinds:
88 - apiGroups: ["autoscaling.k8s.io"]
89 kinds: ["VerticalPodAutoscaler"]
90 parameters:
91 maxCpu: "16" # Max 16 cores
92 maxMemory: "64Gi" # Max 64GB
Policy 3: Require Resource Requests for HPA
1apiVersion: templates.gatekeeper.sh/v1
2kind: ConstraintTemplate
3metadata:
4 name: k8shparequiresresourcerequests
5spec:
6 crd:
7 spec:
8 names:
9 kind: K8sHpaRequiresResourceRequests
10
11 targets:
12 - target: admission.k8s.gatekeeper.sh
13 rego: |
14 package k8shparequiresresourcerequests
15
16 violation[{"msg": msg}] {
17 input.review.kind.kind == "HorizontalPodAutoscaler"
18 hpa := input.review.object
19
20 # Get target deployment
21 targetRef := hpa.spec.scaleTargetRef
22
23 # Check if CPU metric is used
24 some i
25 hpa.spec.metrics[i].type == "Resource"
26 hpa.spec.metrics[i].resource.name == "cpu"
27
28 # Get the target deployment (this is simplified)
29 msg := "HPA using CPU metric requires target workload to have CPU resource requests defined"
30 }
31
32---
33apiVersion: constraints.gatekeeper.sh/v1beta1
34kind: K8sHpaRequiresResourceRequests
35metadata:
36 name: hpa-requires-requests
37spec:
38 match:
39 kinds:
40 - apiGroups: ["autoscaling"]
41 kinds: ["HorizontalPodAutoscaler"]
Policy 4: Enforce Namespace Quotas
1# ResourceQuota for autoscaling
2---
3apiVersion: v1
4kind: ResourceQuota
5metadata:
6 name: autoscaling-quota
7 namespace: team-a
8spec:
9 hard:
10 # Limit number of autoscaling objects
11 count/horizontalpodautoscalers.autoscaling: "20"
12 count/verticalpodautoscalers.autoscaling.k8s.io: "10"
13
14 # Total resource limits across all pods
15 limits.cpu: "100"
16 limits.memory: "200Gi"
17 requests.cpu: "50"
18 requests.memory: "100Gi"
19
20 # Pod count limits (affects HPA max)
21 pods: "500"
22
23---
24# LimitRange to set defaults
25apiVersion: v1
26kind: LimitRange
27metadata:
28 name: autoscaling-limits
29 namespace: team-a
30spec:
31 limits:
32 - max:
33 cpu: "8"
34 memory: "16Gi"
35 min:
36 cpu: "100m"
37 memory: "128Mi"
38 type: Container
39
40 - max:
41 cpu: "16"
42 memory: "32Gi"
43 type: Pod
Part 3: Multi-Tenancy Patterns
Pattern 1: Namespace Isolation
1# Namespace with strict boundaries
2---
3apiVersion: v1
4kind: Namespace
5metadata:
6 name: tenant-a
7 labels:
8 tenant: tenant-a
9 environment: production
10 compliance: pci-dss
11
12---
13# Network Policy: isolate namespace
14apiVersion: networking.k8s.io/v1
15kind: NetworkPolicy
16metadata:
17 name: deny-all-ingress
18 namespace: tenant-a
19spec:
20 podSelector: {}
21 policyTypes:
22 - Ingress
23 - Egress
24
25---
26# ResourceQuota per tenant
27apiVersion: v1
28kind: ResourceQuota
29metadata:
30 name: tenant-a-quota
31 namespace: tenant-a
32spec:
33 hard:
34 requests.cpu: "50"
35 requests.memory: "100Gi"
36 limits.cpu: "100"
37 limits.memory: "200Gi"
38 pods: "500"
39 count/horizontalpodautoscalers.autoscaling: "20"
40
41---
42# PodSecurityStandard
43apiVersion: v1
44kind: Namespace
45metadata:
46 name: tenant-a
47 labels:
48 pod-security.kubernetes.io/enforce: restricted
49 pod-security.kubernetes.io/audit: restricted
50 pod-security.kubernetes.io/warn: restricted
Pattern 2: Node Isolation
1# Dedicated node pool for tenant
2---
3apiVersion: v1
4kind: Node
5metadata:
6 name: node-tenant-a-1
7 labels:
8 tenant: tenant-a
9 node-pool: tenant-a-dedicated
10 spec:
11 taints:
12 - key: tenant
13 value: tenant-a
14 effect: NoSchedule
15
16---
17# Karpenter NodePool for tenant
18apiVersion: karpenter.sh/v1beta1
19kind: NodePool
20metadata:
21 name: tenant-a-pool
22spec:
23 template:
24 metadata:
25 labels:
26 tenant: tenant-a
27 spec:
28 requirements:
29 - key: tenant
30 operator: In
31 values: ["tenant-a"]
32
33 taints:
34 - key: tenant
35 value: tenant-a
36 effect: NoSchedule
37
38 nodeClassRef:
39 name: tenant-a-nodes
40
41 limits:
42 cpu: "100"
43 memory: "200Gi"
44
45---
46# Tenant workload with affinity
47apiVersion: apps/v1
48kind: Deployment
49metadata:
50 name: tenant-a-app
51 namespace: tenant-a
52spec:
53 template:
54 spec:
55 # Force scheduling on tenant nodes
56 nodeSelector:
57 tenant: tenant-a
58
59 tolerations:
60 - key: tenant
61 value: tenant-a
62 effect: NoSchedule
63
64 # Anti-affinity to spread across nodes
65 affinity:
66 podAntiAffinity:
67 requiredDuringSchedulingIgnoredDuringExecution:
68 - labelSelector:
69 matchExpressions:
70 - key: app
71 operator: In
72 values: ["tenant-a-app"]
73 topologyKey: kubernetes.io/hostname
Pattern 3: Hierarchical Namespaces (HNC)
1# Install Hierarchical Namespace Controller
2---
3apiVersion: v1
4kind: Namespace
5metadata:
6 name: organization-a
7
8---
9# Parent namespace with autoscaling policies
10apiVersion: hnc.x-k8s.io/v1alpha2
11kind: HierarchyConfiguration
12metadata:
13 name: hierarchy
14 namespace: organization-a
15spec:
16 parent: "" # Root namespace
17
18---
19# Child namespace inherits policies
20apiVersion: v1
21kind: Namespace
22metadata:
23 name: org-a-team-1
24 labels:
25 organization: organization-a
26
27---
28apiVersion: hnc.x-k8s.io/v1alpha2
29kind: HierarchyConfiguration
30metadata:
31 name: hierarchy
32 namespace: org-a-team-1
33spec:
34 parent: organization-a
35
36---
37# RoleBinding in parent propagates to children
38apiVersion: rbac.authorization.k8s.io/v1
39kind: RoleBinding
40metadata:
41 name: org-a-autoscaling-policy
42 namespace: organization-a
43 labels:
44 hnc.x-k8s.io/propagate: "true" # Propagate to children
45subjects:
46- kind: Group
47 name: org-a-admins
48 apiGroup: rbac.authorization.k8s.io
49roleRef:
50 kind: Role
51 name: autoscaling-manager
52 apiGroup: rbac.authorization.k8s.io
Part 4: Compliance Frameworks
PCI-DSS Compliance
Requirements for Autoscaling:
1# 1. Requirement 2.2: Secure configurations
2---
3apiVersion: templates.gatekeeper.sh/v1
4kind: ConstraintTemplate
5metadata:
6 name: pcidssautoscalingsecurity
7spec:
8 crd:
9 spec:
10 names:
11 kind: PciDssAutoscalingSecurity
12
13 targets:
14 - target: admission.k8s.gatekeeper.sh
15 rego: |
16 package pcidssautoscalingsecurity
17
18 violation[{"msg": msg}] {
19 input.review.kind.kind == "HorizontalPodAutoscaler"
20 hpa := input.review.object
21
22 # Check if in PCI namespace
23 input.review.namespace == "pci-workloads"
24
25 # Ensure minimum 2 replicas (high availability)
26 hpa.spec.minReplicas < 2
27 msg := "PCI-DSS: minReplicas must be at least 2 for high availability"
28 }
29
30 violation[{"msg": msg}] {
31 input.review.kind.kind == "Deployment"
32 deployment := input.review.object
33
34 # PCI workloads must be in specific zones
35 input.review.namespace == "pci-workloads"
36
37 not deployment.spec.template.spec.nodeSelector["compliance-zone"]
38 msg := "PCI-DSS: Workloads must run in compliance-certified zones"
39 }
40
41---
42# 2. Requirement 10: Audit logging
43apiVersion: audit.k8s.io/v1
44kind: Policy
45metadata:
46 name: autoscaling-audit-policy
47rules:
48# Log all autoscaling changes
49- level: RequestResponse
50 omitStages:
51 - RequestReceived
52 resources:
53 - group: "autoscaling"
54 resources: ["horizontalpodautoscalers"]
55 - group: "autoscaling.k8s.io"
56 resources: ["verticalpodautoscalers"]
57 - group: "keda.sh"
58 resources: ["scaledobjects", "scaledjobs"]
59
60# Log all scaling events
61- level: Metadata
62 resources:
63 - group: ""
64 resources: ["events"]
65 namespaces: ["pci-workloads"]
66
67---
68# 3. Requirement 7: Access control
69apiVersion: rbac.authorization.k8s.io/v1
70kind: Role
71metadata:
72 name: pci-autoscaling-restricted
73 namespace: pci-workloads
74rules:
75# Read-only for most users
76- apiGroups: ["autoscaling"]
77 resources: ["horizontalpodautoscalers"]
78 verbs: ["get", "list", "watch"]
79
80# No VPA modifications in PCI namespace
81- apiGroups: ["autoscaling.k8s.io"]
82 resources: ["verticalpodautoscalers"]
83 verbs: ["get", "list", "watch"]
84
85---
86# 4. PCI-compliant namespace
87apiVersion: v1
88kind: Namespace
89metadata:
90 name: pci-workloads
91 labels:
92 compliance: pci-dss
93 security-level: high
94 audit: enabled
HIPAA Compliance
1# HIPAA-compliant autoscaling
2---
3# 1. Encryption in transit and at rest
4apiVersion: v1
5kind: Namespace
6metadata:
7 name: hipaa-workloads
8 labels:
9 compliance: hipaa
10 encryption: required
11 annotations:
12 # Enforce mTLS via service mesh
13 linkerd.io/inject: enabled
14
15---
16# 2. Node pool with encryption
17apiVersion: karpenter.sh/v1beta1
18kind: NodePool
19metadata:
20 name: hipaa-nodes
21spec:
22 template:
23 spec:
24 requirements:
25 - key: compliance
26 operator: In
27 values: ["hipaa"]
28
29 nodeClassRef:
30 name: hipaa-encrypted
31
32---
33apiVersion: karpenter.k8s.aws/v1beta1
34kind: EC2NodeClass
35metadata:
36 name: hipaa-encrypted
37spec:
38 amiFamily: AL2
39 role: KarpenterNodeRole-hipaa
40
41 blockDeviceMappings:
42 - deviceName: /dev/xvda
43 ebs:
44 volumeSize: 100Gi
45 volumeType: gp3
46 encrypted: true # HIPAA: Encryption at rest
47 kmsKeyID: "arn:aws:kms:us-east-1:123456789:key/abcd-1234"
48 deleteOnTermination: true
49
50 metadataOptions:
51 httpTokens: required # HIPAA: Secure metadata access
52
53 userData: |
54 #!/bin/bash
55 # HIPAA: Audit logging
56 auditctl -w /etc/kubernetes -p wa -k kubernetes_config
57
58---
59# 3. HPA policy for HIPAA workloads
60apiVersion: constraints.gatekeeper.sh/v1beta1
61kind: K8sHpaReplicaLimits
62metadata:
63 name: hipaa-hpa-limits
64spec:
65 match:
66 kinds:
67 - apiGroups: ["autoscaling"]
68 kinds: ["HorizontalPodAutoscaler"]
69 namespaces:
70 - hipaa-workloads
71 parameters:
72 minReplicas: 3 # HIPAA: High availability
73 maxReplicas: 50
74
75---
76# 4. Data residency constraint
77apiVersion: templates.gatekeeper.sh/v1
78kind: ConstraintTemplate
79metadata:
80 name: hipaadataresidency
81spec:
82 crd:
83 spec:
84 names:
85 kind: HipaaDataResidency
86
87 targets:
88 - target: admission.k8s.gatekeeper.sh
89 rego: |
90 package hipaadataresidency
91
92 violation[{"msg": msg}] {
93 input.review.kind.kind in ["Deployment", "StatefulSet"]
94 input.review.namespace == "hipaa-workloads"
95
96 # Must specify allowed regions
97 not input.review.object.spec.template.spec.nodeSelector["topology.kubernetes.io/region"]
98
99 msg := "HIPAA: Workloads must specify allowed regions for data residency"
100 }
101
102---
103apiVersion: constraints.gatekeeper.sh/v1beta1
104kind: HipaaDataResidency
105metadata:
106 name: hipaa-data-residency
107spec:
108 match:
109 kinds:
110 - apiGroups: ["apps"]
111 kinds: ["Deployment", "StatefulSet"]
112 namespaces:
113 - hipaa-workloads
SOC 2 Compliance
1# SOC 2 compliance for autoscaling
2---
3# 1. Change management process
4apiVersion: v1
5kind: ConfigMap
6metadata:
7 name: autoscaling-change-policy
8 namespace: compliance
9data:
10 policy.yaml: |
11 # All autoscaling changes require:
12 # 1. Peer review (enforced by Git)
13 # 2. Approval from team lead
14 # 3. Testing in staging
15 # 4. Audit log entry
16
17---
18# 2. Audit logging to external system
19apiVersion: v1
20kind: ConfigMap
21metadata:
22 name: audit-webhook-config
23 namespace: kube-system
24data:
25 webhook.yaml: |
26 apiVersion: v1
27 kind: Config
28 clusters:
29 - name: audit-sink
30 cluster:
31 server: https://audit-collector.example.com/k8s-audit
32 certificate-authority: /etc/audit/ca.crt
33 users:
34 - name: audit-sink
35 user:
36 client-certificate: /etc/audit/client.crt
37 client-key: /etc/audit/client.key
38 contexts:
39 - context:
40 cluster: audit-sink
41 user: audit-sink
42 name: default-context
43 current-context: default-context
44
45---
46# 3. Monitoring and alerting
47apiVersion: monitoring.coreos.com/v1
48kind: PrometheusRule
49metadata:
50 name: soc2-autoscaling-compliance
51 namespace: monitoring
52spec:
53 groups:
54 - name: soc2-compliance
55 interval: 1m
56 rules:
57 # Alert on unauthorized changes
58 - alert: UnauthorizedAutoscalingChange
59 expr: |
60 increase(apiserver_audit_event_total{
61 verb="create|update|delete",
62 objectRef_resource=~"horizontalpodautoscalers|verticalpodautoscalers",
63 user_username!~"system:.*|approved-users"
64 }[5m]) > 0
65 labels:
66 severity: critical
67 compliance: soc2
68 annotations:
69 summary: "Unauthorized autoscaling modification detected"
70 description: "User {{ $labels.user_username }} modified autoscaling without authorization"
71
72 # Alert on excessive scaling
73 - alert: ExcessiveScaling
74 expr: |
75 rate(kube_horizontalpodautoscaler_status_current_replicas[5m]) > 2
76 for: 10m
77 labels:
78 severity: warning
79 compliance: soc2
80 annotations:
81 summary: "Excessive autoscaling activity detected"
82
83---
84# 4. Separation of duties
85apiVersion: rbac.authorization.k8s.io/v1
86kind: ClusterRole
87metadata:
88 name: autoscaling-approver
89rules:
90# Approvers can only approve, not create
91- apiGroups: ["autoscaling"]
92 resources: ["horizontalpodautoscalers"]
93 verbs: ["get", "list", "watch"]
94
95- apiGroups: ["autoscaling"]
96 resources: ["horizontalpodautoscalers/status"]
97 verbs: ["update", "patch"]
Part 5: Audit Logging and Forensics
Comprehensive Audit Policy
1apiVersion: audit.k8s.io/v1
2kind: Policy
3metadata:
4 name: comprehensive-audit-policy
5rules:
6# 1. Log all autoscaling object changes
7- level: RequestResponse
8 omitStages:
9 - RequestReceived
10 resources:
11 - group: "autoscaling"
12 resources: ["horizontalpodautoscalers"]
13 - group: "autoscaling.k8s.io"
14 resources: ["verticalpodautoscalers"]
15 - group: "keda.sh"
16 resources: ["scaledobjects", "scaledjobs", "triggerauthentications"]
17 - group: "karpenter.sh"
18 resources: ["nodepools", "nodeclaims"]
19
20# 2. Log scaling events
21- level: Metadata
22 resources:
23 - group: ""
24 resources: ["events"]
25 namespaceSelector:
26 matchNames:
27 - production
28 - staging
29
30# 3. Log deployment changes (related to autoscaling)
31- level: Request
32 verbs: ["update", "patch"]
33 resources:
34 - group: "apps"
35 resources: ["deployments", "statefulsets"]
36 namespaces: ["production"]
37
38# 4. Log node changes (cluster autoscaling)
39- level: Metadata
40 resources:
41 - group: ""
42 resources: ["nodes"]
43
44# 5. Log ConfigMap changes (autoscaler configs)
45- level: RequestResponse
46 resources:
47 - group: ""
48 resources: ["configmaps"]
49 namespaces: ["kube-system"]
50 resourceNames:
51 - cluster-autoscaler-status
52 - karpenter-global-settings
53
54# 6. Log RBAC changes for autoscaling
55- level: RequestResponse
56 verbs: ["create", "update", "patch", "delete"]
57 resources:
58 - group: "rbac.authorization.k8s.io"
59 resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
60 omitManagedFields: true
61
62# 7. Exclude noisy read-only operations
63- level: None
64 verbs: ["get", "list", "watch"]
65 resources:
66 - group: ""
67 resources: ["pods", "services"]
Audit Log Aggregation
1# Fluentd for audit log shipping
2---
3apiVersion: v1
4kind: ConfigMap
5metadata:
6 name: fluentd-audit-config
7 namespace: kube-system
8data:
9 fluent.conf: |
10 # Read audit logs
11 <source>
12 @type tail
13 path /var/log/kubernetes/kube-apiserver-audit.log
14 pos_file /var/log/fluentd-audit.pos
15 tag k8s-audit
16 <parse>
17 @type json
18 time_key timestamp
19 time_format %Y-%m-%dT%H:%M:%S.%N%z
20 </parse>
21 </source>
22
23 # Filter for autoscaling events
24 <filter k8s-audit>
25 @type grep
26 <regexp>
27 key $.objectRef.resource
28 pattern /horizontalpodautoscalers|verticalpodautoscalers|scaledobjects|nodepools/
29 </regexp>
30 </filter>
31
32 # Enrich with metadata
33 <filter k8s-audit>
34 @type record_transformer
35 enable_ruby true
36 <record>
37 cluster_name "#{ENV['CLUSTER_NAME']}"
38 environment "#{ENV['ENVIRONMENT']}"
39 timestamp_unix ${Time.parse(record['timestamp']).to_i}
40 </record>
41 </filter>
42
43 # Ship to multiple destinations
44 <match k8s-audit>
45 @type copy
46
47 # Elasticsearch for search
48 <store>
49 @type elasticsearch
50 host elasticsearch.logging.svc
51 port 9200
52 index_name k8s-audit-%Y%m%d
53 type_name audit
54 </store>
55
56 # S3 for long-term retention
57 <store>
58 @type s3
59 s3_bucket compliance-audit-logs
60 s3_region us-east-1
61 path k8s-audit/%Y/%m/%d/
62 time_slice_format %Y%m%d%H
63 <buffer>
64 @type file
65 path /var/log/fluentd-s3-buffer/
66 timekey 3600
67 timekey_wait 10m
68 </buffer>
69 </store>
70
71 # Splunk for SOC
72 <store>
73 @type splunk_hec
74 host splunk.example.com
75 port 8088
76 token ${SPLUNK_HEC_TOKEN}
77 source k8s-audit
78 sourcetype _json
79 </store>
80 </match>
81
82---
83apiVersion: apps/v1
84kind: DaemonSet
85metadata:
86 name: fluentd-audit
87 namespace: kube-system
88spec:
89 selector:
90 matchLabels:
91 app: fluentd-audit
92 template:
93 metadata:
94 labels:
95 app: fluentd-audit
96 spec:
97 serviceAccountName: fluentd
98 containers:
99 - name: fluentd
100 image: fluent/fluentd-kubernetes-daemonset:v1-debian-elasticsearch
101 env:
102 - name: CLUSTER_NAME
103 value: production-cluster
104 - name: ENVIRONMENT
105 value: production
106 - name: SPLUNK_HEC_TOKEN
107 valueFrom:
108 secretKeyRef:
109 name: splunk-credentials
110 key: hec-token
111 volumeMounts:
112 - name: audit-logs
113 mountPath: /var/log/kubernetes
114 readOnly: true
115 - name: config
116 mountPath: /fluentd/etc
117 volumes:
118 - name: audit-logs
119 hostPath:
120 path: /var/log/kubernetes
121 - name: config
122 configMap:
123 name: fluentd-audit-config
Forensics Queries
1#!/bin/bash
2# forensics-queries.sh - Common audit queries
3
4# 1. Who scaled what and when?
5kubectl logs -n kube-system -l component=kube-apiserver | \
6 jq -r 'select(.objectRef.resource == "horizontalpodautoscalers" and .verb == "update") |
7 "\(.requestReceivedTimestamp) | User: \(.user.username) | Namespace: \(.objectRef.namespace) | HPA: \(.objectRef.name)"'
8
9# 2. Find unauthorized scaling attempts
10kubectl logs -n kube-system -l component=kube-apiserver | \
11 jq -r 'select(.objectRef.resource == "horizontalpodautoscalers" and .responseStatus.code >= 400) |
12 "\(.requestReceivedTimestamp) | User: \(.user.username) | Action: \(.verb) | Status: \(.responseStatus.code) | Reason: \(.responseStatus.reason)"'
13
14# 3. Track VPA modifications
15kubectl logs -n kube-system -l component=kube-apiserver | \
16 jq -r 'select(.objectRef.resource == "verticalpodautoscalers" and .verb in ["create", "update", "patch", "delete"]) |
17 "\(.requestReceivedTimestamp) | User: \(.user.username) | Verb: \(.verb) | VPA: \(.objectRef.namespace)/\(.objectRef.name)"'
18
19# 4. Find expensive scaling events
20kubectl logs -n kube-system -l component=kube-apiserver | \
21 jq -r 'select(.objectRef.resource == "horizontalpodautoscalers") |
22 select(.requestObject.spec.maxReplicas > 100) |
23 "\(.requestReceivedTimestamp) | User: \(.user.username) | HPA: \(.objectRef.name) | MaxReplicas: \(.requestObject.spec.maxReplicas)"'
24
25# 5. Compliance report: all autoscaling changes in last 24h
26kubectl logs -n kube-system -l component=kube-apiserver --since=24h | \
27 jq -r 'select(.objectRef.resource in ["horizontalpodautoscalers", "verticalpodautoscalers"]) |
28 select(.verb in ["create", "update", "patch", "delete"]) |
29 [.requestReceivedTimestamp, .user.username, .verb, .objectRef.resource, .objectRef.namespace, .objectRef.name, .responseStatus.code] |
30 @csv' > compliance-report.csv
Part 6: Security Best Practices Checklist
Pre-Production Checklist
1# security-checklist.yaml
2---
3apiVersion: v1
4kind: ConfigMap
5metadata:
6 name: autoscaling-security-checklist
7 namespace: compliance
8data:
9 checklist.md: |
10 # Autoscaling Security Checklist
11
12 ## RBAC
13 - [ ] Principle of least privilege applied
14 - [ ] ServiceAccounts for applications have minimal permissions
15 - [ ] CI/CD pipelines use dedicated ServiceAccounts
16 - [ ] Regular RBAC audits scheduled
17
18 ## Policy Enforcement
19 - [ ] Gatekeeper installed and configured
20 - [ ] HPA replica limits enforced
21 - [ ] VPA resource boundaries enforced
22 - [ ] Namespace quotas configured
23 - [ ] PodDisruptionBudgets required
24
25 ## Multi-Tenancy
26 - [ ] Namespace isolation configured
27 - [ ] Network policies implemented
28 - [ ] Node isolation (if required)
29 - [ ] Resource quotas per tenant
30
31 ## Compliance
32 - [ ] Audit logging enabled
33 - [ ] Audit logs shipped to external system
34 - [ ] Retention policy configured (7 years for SOX)
35 - [ ] Compliance-specific policies enforced (PCI/HIPAA/SOC2)
36 - [ ] Regular compliance audits scheduled
37
38 ## Monitoring
39 - [ ] Autoscaling metrics collected
40 - [ ] Alerts configured for unauthorized changes
41 - [ ] Dashboard for compliance team
42 - [ ] Incident response runbook documented
43
44 ## Cost Control
45 - [ ] Budget alerts configured
46 - [ ] Cost attribution labels required
47 - [ ] FinOps dashboard deployed
48 - [ ] Regular cost reviews scheduled
49
50 ## Disaster Recovery
51 - [ ] Autoscaling configs backed up
52 - [ ] Restore procedure tested
53 - [ ] Failover tested
54 - [ ] RTO/RPO documented
Security Scanning
1# Kubernetes manifest scanning with Kubesec
2---
3apiVersion: batch/v1
4kind: CronJob
5metadata:
6 name: autoscaling-security-scan
7 namespace: compliance
8spec:
9 schedule: "0 2 * * *" # Daily at 2 AM
10 jobTemplate:
11 spec:
12 template:
13 spec:
14 serviceAccountName: security-scanner
15 containers:
16 - name: scanner
17 image: kubesec/kubesec:latest
18 command:
19 - /bin/sh
20 - -c
21 - |
22 #!/bin/sh
23
24 echo "Scanning autoscaling configurations..."
25
26 # Get all HPA configs
27 kubectl get hpa -A -o yaml | kubesec scan -
28
29 # Get all VPA configs
30 kubectl get vpa -A -o yaml | kubesec scan -
31
32 # Get all Karpenter NodePools
33 kubectl get nodepools -o yaml | kubesec scan -
34
35 # Check for common misconfigurations
36 echo ""
37 echo "=== Common Misconfigurations ==="
38
39 # HPA without resource requests
40 kubectl get hpa -A -o json | jq -r '
41 .items[] |
42 select(.spec.metrics[]? | select(.resource.name == "cpu")) |
43 "\(.metadata.namespace)/\(.metadata.name): Check if target has CPU requests"
44 '
45
46 # VPA in Auto mode without PDB
47 kubectl get vpa -A -o json | jq -r '
48 .items[] |
49 select(.spec.updatePolicy.updateMode == "Auto") |
50 "\(.metadata.namespace)/\(.metadata.name): VPA Auto mode - ensure PDB exists"
51 '
52
53 echo ""
54 echo "Scan complete. Check logs for issues."
55
56 restartPolicy: OnFailure
Part 7: Incident Response
Autoscaling Security Incident Runbook
1apiVersion: v1
2kind: ConfigMap
3metadata:
4 name: incident-response-runbook
5 namespace: compliance
6data:
7 autoscaling-incident.md: |
8 # Autoscaling Security Incident Response
9
10 ## Scenario 1: Unauthorized Scaling Detected
11
12 ### Detection
13 - Alert: "UnauthorizedAutoscalingChange"
14 - Source: Prometheus alert or audit log
15
16 ### Immediate Actions
17 1. **Identify the change**
18 ```bash
19 kubectl get events -A | grep HorizontalPodAutoscaler
20 kubectl logs -n kube-system -l component=kube-apiserver | grep horizontalpodautoscalers
21 ```
22
23 2. **Identify the user**
24 ```bash
25 # From audit logs
26 kubectl logs -n kube-system -l component=kube-apiserver | \
27 jq -r 'select(.objectRef.resource == "horizontalpodautoscalers" and .verb == "update") |
28 "\(.user.username) at \(.requestReceivedTimestamp)"'
29 ```
30
31 3. **Assess impact**
32 - Check current replica count
33 - Check cost impact
34 - Check service availability
35
36 4. **Contain the incident**
37 ```bash
38 # Revert HPA to safe state
39 kubectl patch hpa <name> -n <namespace> -p '{"spec":{"maxReplicas":10}}'
40
41 # Temporarily disable user access
42 kubectl delete rolebinding <user-binding> -n <namespace>
43 ```
44
45 5. **Notify stakeholders**
46 - Security team
47 - Engineering team lead
48 - Compliance officer (if applicable)
49
50 ### Investigation
51 1. Review audit logs for full timeline
52 2. Check if credentials were compromised
53 3. Identify any other affected resources
54 4. Determine if malicious or accidental
55
56 ### Remediation
57 1. Restore proper HPA configuration
58 2. Implement additional controls
59 3. Update RBAC if needed
60 4. Rotate credentials if compromised
61
62 ### Post-Incident
63 1. Document findings
64 2. Update runbook
65 3. Conduct post-mortem
66 4. Implement preventive measures
67
68 ---
69
70 ## Scenario 2: Resource Exhaustion Attack
71
72 ### Detection
73 - Alert: "ClusterCPUPressure"
74 - Symptoms: Pods pending, slow scaling
75
76 ### Immediate Actions
77 1. **Check cluster capacity**
78 ```bash
79 kubectl top nodes
80 kubectl get pods -A | grep Pending | wc -l
81 ```
82
83 2. **Identify runaway autoscaler**
84 ```bash
85 kubectl get hpa -A --sort-by=.status.currentReplicas
86 ```
87
88 3. **Emergency scale-down**
89 ```bash
90 kubectl patch hpa <name> -n <namespace> -p '{"spec":{"maxReplicas":5}}'
91 ```
92
93 4. **Add nodes if needed**
94 ```bash
95 # AWS
96 aws autoscaling set-desired-capacity \
97 --auto-scaling-group-name <asg> \
98 --desired-capacity <N>
99 ```
100
101 ### Recovery
102 1. Analyze what triggered excessive scaling
103 2. Review HPA configuration
104 3. Implement rate limits
105 4. Update monitoring
106
107 ---
108
109 ## Scenario 3: Compliance Violation
110
111 ### Detection
112 - Alert: "PCI workload scaled to non-compliant zone"
113 - Source: Policy violation
114
115 ### Immediate Actions
116 1. **Identify affected workloads**
117 ```bash
118 kubectl get pods -n pci-workloads -o wide
119 ```
120
121 2. **Check node compliance status**
122 ```bash
123 kubectl get nodes -l compliance-zone!=certified
124 ```
125
126 3. **Drain non-compliant nodes**
127 ```bash
128 kubectl drain <node> --ignore-daemonsets --delete-emptydir-data
129 ```
130
131 4. **Force reschedule to compliant nodes**
132 ```bash
133 kubectl delete pods -n pci-workloads --field-selector spec.nodeName=<non-compliant-node>
134 ```
135
136 ### Reporting
137 1. Document violation for audit
138 2. Report to compliance officer
139 3. Update compliance report
140 4. Implement additional safeguards
Key Takeaways
Security Principles
- Principle of Least Privilege: Users and applications get minimum required permissions
- Defense in Depth: Multiple layers of security controls
- Zero Trust: Verify everything, trust nothing
- Audit Everything: Comprehensive logging for forensics
- Automate Compliance: Policy-as-code with Gatekeeper
Compliance Requirements
| Framework | Key Requirements | Implementation |
|---|---|---|
| PCI-DSS | High availability, audit logging, access control | Min 2 replicas, comprehensive auditing, strict RBAC |
| HIPAA | Encryption, data residency, audit trails | Encrypted volumes, zone constraints, audit shipping |
| SOC 2 | Change management, monitoring, access reviews | GitOps, alerts, quarterly RBAC audits |
| GDPR | Data locality, right to deletion | Region constraints, PV cleanup automation |
Best Practices
✅ RBAC: Implement least privilege for all users and ServiceAccounts ✅ Policies: Enforce limits with Gatekeeper/OPA ✅ Multi-Tenancy: Isolate tenants with namespaces, network policies, and node pools ✅ Audit: Ship logs to external system with 7-year retention ✅ Compliance: Implement framework-specific controls ✅ Monitoring: Alert on unauthorized changes and violations ✅ Testing: Regular security audits and penetration testing
Related Topics
Autoscaling Series (Complete)
- Part 1: HPA Fundamentals
- Part 2: Cluster Autoscaling
- Part 3: Hands-On Demo
- Part 4: Monitoring & Alerting
- Part 5: VPA & Resource Optimization
- Part 6: Advanced Patterns
- Part 7: Troubleshooting & War Stories
Conclusion
Security and governance are not afterthoughts—they’re foundational to production Kubernetes autoscaling. This guide established:
- RBAC Framework: Hierarchical access control for all stakeholders
- Policy Enforcement: Automated guardrails with Gatekeeper/OPA
- Multi-Tenancy: Secure isolation patterns for shared clusters
- Compliance: PCI-DSS, HIPAA, SOC 2, and GDPR requirements
- Audit: Comprehensive logging and forensics capabilities
- Incident Response: Runbooks for security incidents
Implementation Roadmap
Week 1: Foundation
- Implement RBAC roles and bindings
- Deploy Gatekeeper
- Configure basic policies
Week 2: Policies
- Enforce HPA/VPA limits
- Implement namespace quotas
- Configure network policies
Week 3: Audit & Compliance
- Enable comprehensive audit logging
- Configure log shipping
- Implement framework-specific controls
Week 4: Testing & Hardening
- Security scanning
- Penetration testing
- Incident response drills
The Complete Journey
You’ve now completed the 8-part Kubernetes Autoscaling Complete Guide:
- ✅ Theory: HPA fundamentals and approaches
- ✅ Infrastructure: Cluster autoscaling strategies
- ✅ Practice: Hands-on implementation
- ✅ Observability: Monitoring and alerting
- ✅ Optimization: VPA and cost reduction
- ✅ Advanced: Complex patterns and architectures
- ✅ Operations: Troubleshooting production issues
- ✅ Governance: Security and compliance
From basic HPA to enterprise-grade security, you now have the complete toolkit for production Kubernetes autoscaling.
Stay secure! 🔒🛡️
This concludes the Kubernetes Autoscaling Complete Guide series. Thank you for reading!